On Wed, Aug 14, 2019 at 08:47:02AM -0400, PICCORO McKAY Lenz wrote:
you said: " A simple SIP phone will only send a couple of messages per second"
so if i have that special case with dinamyc ip in clients.. who could be better to not confuse those clients with intents of attacks?
I'm not sure what you are trying to say here.
In my setups I have a limit of 64 requests per 2s. But I also have whitelist (with/via the permissions module) for known high traffic ipaddresses. Dimensioning the pike module for the known high traffic hosts kind of defeats the purpose of using pike to detect strange unwanted traffic. The correct numbers depend on your endpoints.
if(src_ip!=myself && !allow_address("2", "$si", "$sp")) { if($sht(ipban=>$si)!=$null) { # ip is already blocked exit; }
if (!pike_check_req()) { $sht(ipban=>$si) = 1; exit;
oh, also i put for scanners that:
if($ua =~ "friendly-scanner") { xlog("L_ALERT", "friendly scanning incoming $rm IP:$si:$sp - R:$ruri - F:$fu - T:$tu - UA:$ua - $rm\n"); $sht(ipban=>$si) = 1; drop(); }
so i ban the ip where the friendly scanner are made for a while, it's that correct?
Yes, this adds the source ip to the htable that is used to block further requests. But my experience is that if you sent a 200 OK the scans will stop for the older scanners. So you might want to add a sl_send_reply("200", "OK"); before the drop.