I gave APIBAN a try. After a few days, no requests were banned by APIBAN, but during the same period, lots of request were banned by other checks in my config. That made me wonder if APIBAN really is effective.
-- Juha
Use may vary ;)
On a targeted attack, APIBAN won’t help. You will see some benefits from iptables-api which will block your discovered traffic in iptables and helping reduce kamailio cpu.
-- Fred Posner Phone: +1 (352) 664-3733 https://fredoso.com (Sent from mobile. Please excuse typos/autocorrect)
On Nov 4, 2024, at 2:42 AM, Juha Heinanen via sr-users sr-users@lists.kamailio.org wrote:
I gave APIBAN a try. After a few days, no requests were banned by APIBAN, but during the same period, lots of request were banned by other checks in my config. That made me wonder if APIBAN really is effective.
-- Juha
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Fred Posner writes:
On a targeted attack, APIBAN won’t help. You will see some benefits from iptables-api which will block your discovered traffic in iptables and helping reduce kamailio cpu.
I'm blocking attacks by fail2ban. My APIBAN test would generate syslog message for fail2ban, but none has been generated. It means that among the numerous attacks that my SIP proxy blocked by fail2ban, not a single one was detected by APIBAN. It means that APIBAN was not aware of the IP addresses of the attackers.
-- Juha
If you want to share any of the ip’s that you have blocked I will gladly look into it.
APIBAN runs honeypots around the world. There’s generally an active list of 1,000 SIP and 2500 HTTP addresses at any time (IPs are active for 7 days and then can be “re-activated” when more traffic is seen).
I’d gladly help to see if you’ve implemented APIBAN in a solid way and/or if you have IPs we’re not seeing, looking at deploying a honeypot in that area.
Regards,
Fred Posner
On Nov 4, 2024, at 7:20 AM, Juha Heinanen via sr-users sr-users@lists.kamailio.org wrote:
Fred Posner writes:
On a targeted attack, APIBAN won’t help. You will see some benefits from iptables-api which will block your discovered traffic in iptables and helping reduce kamailio cpu.
I'm blocking attacks by fail2ban. My APIBAN test would generate syslog message for fail2ban, but none has been generated. It means that among the numerous attacks that my SIP proxy blocked by fail2ban, not a single one was detected by APIBAN. It means that APIBAN was not aware of the IP addresses of the attackers.
-- Juha __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-
Fred Posner -
Juha Heinanen