[SR-Users] pike parameters doup when have dinamyc ip clients and scanners
PICCORO McKAY Lenz
mckaygerhard at gmail.com
Wed Aug 14 20:52:45 CEST 2019
El mié., 14 de ago. de 2019 a la(s) 10:11, Daniel Tryba (d.tryba at pocos.nl)
escribió:
> Yes, this adds the source ip to the htable that is used to block further
> requests. But my experience is that if you sent a 200 OK the scans
> will stop for the older scanners. So you might want to add a
> sl_send_reply("200", "OK");
> before the drop.
>
added! thanks
but:
> I'm not sure what you are trying to say here.
>
> In my setups I have a limit of 64 requests per 2s. But I also have
> whitelist (with/via the permissions module) for known high traffic
> ipaddresses. Dimensioning the pike module for the known high traffic
> hosts kind of defeats the purpose of using pike to detect strange
> unwanted traffic. The correct numbers depend on your endpoints.
>
i cannot use whitelist due my experiment are for all dinamyc ip clients
so what its the meaning of "depend on your endpoints" ?
> if(src_ip!=myself && !allow_address("2", "$si", "$sp"))
> {
> if($sht(ipban=>$si)!=$null)
> {
> # ip is already blocked
> exit;
> }
>
> if (!pike_check_req())
> {
> $sht(ipban=>$si) = 1;
> exit;
>
>
>
> > oh, also i put for scanners that:
> >
> > if($ua =~ "friendly-scanner") {
> > xlog("L_ALERT", "friendly scanning incoming $rm IP:$si:$sp - R:$ruri -
> > F:$fu - T:$tu - UA:$ua - $rm\n");
> > $sht(ipban=>$si) = 1;
> > drop();
> > }
> >
> > so i ban the ip where the friendly scanner are made for a while, it's
> that
> > correct?
>
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190814/de065c54/attachment.html>
More information about the sr-users
mailing list