[SR-Users] [KAMAILIO]: How to count three or more invalid REGISTERs from the same IP-address
Daniel-Constantin Mierla
miconda at gmail.com
Wed Jun 22 07:33:02 CEST 2016
On 19/06/16 20:19, Яцко Эллад Геннадьевич wrote:
> Hello!
>
> How to detect several unsuccessful REGISTER attempts from the same IP?
>
> For example: a malicious user tries to look for passwords, can I detect
> this in some way to black list it? As you know there are different SIP
> dialogs here.. I need to mention these attempts should be counted
> during certain period of time (e. g. 1 minute). If there were ONLY TWO
> attempts for 1 minute the counter need to be reset to zero.
>
> I've read about PERMISSIONS/BLST, but they don't offer such a mechanism.
>
> I'll be waiting for your help, guys! :-)
See the example config at:
-
https://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack#ddos_and_dictionary_attacks
It is for kamailio 3.1, but can be easily updated to the latest config
for 4.4. The idea is to rely on htable module to keep the counter. The
key has to be '$si::$au' -- the source ip and the authentication user --
or you can use $fU instead of $au. The example above is using only user
id as key, so this is another change you have to do.
Cheers,
Daniel
--
Daniel-Constantin Mierla
http://www.asipto.com - http://www.kamailio.org
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
More information about the sr-users
mailing list