[SR-Users] pike parameters doup when have dinamyc ip clients and scanners
Daniel Tryba
d.tryba at pocos.nl
Wed Aug 14 16:11:29 CEST 2019
On Wed, Aug 14, 2019 at 08:47:02AM -0400, PICCORO McKAY Lenz wrote:
> you said: " A simple SIP phone will only send a couple of messages per
> second"
>
> so if i have that special case with dinamyc ip in clients.. who could be
> better to not confuse those clients with intents of attacks?
I'm not sure what you are trying to say here.
In my setups I have a limit of 64 requests per 2s. But I also have
whitelist (with/via the permissions module) for known high traffic
ipaddresses. Dimensioning the pike module for the known high traffic
hosts kind of defeats the purpose of using pike to detect strange
unwanted traffic. The correct numbers depend on your endpoints.
if(src_ip!=myself && !allow_address("2", "$si", "$sp"))
{
if($sht(ipban=>$si)!=$null)
{
# ip is already blocked
exit;
}
if (!pike_check_req())
{
$sht(ipban=>$si) = 1;
exit;
> oh, also i put for scanners that:
>
> if($ua =~ "friendly-scanner") {
> xlog("L_ALERT", "friendly scanning incoming $rm IP:$si:$sp - R:$ruri -
> F:$fu - T:$tu - UA:$ua - $rm\n");
> $sht(ipban=>$si) = 1;
> drop();
> }
>
> so i ban the ip where the friendly scanner are made for a while, it's that
> correct?
Yes, this adds the source ip to the htable that is used to block further
requests. But my experience is that if you sent a 200 OK the scans
will stop for the older scanners. So you might want to add a
sl_send_reply("200", "OK");
before the drop.
More information about the sr-users
mailing list