Hi !

you might want to check this APIBAN - Block Bad SIP Traffic 

Fred Posner is the one to blame for this fantastic tool :)

Atenciosamente / Kind Regards / Cordialement / Un saludo,

Sérgio Charrua

On Thu, Oct 24, 2024 at 3:49 AM mayamatakeshi via sr-users <sr-users@lists.kamailio.org> wrote:

Hi,

I was going through some old company tickets that I am assigned to and found a case when possibly an attacker flooded our kamailio server with invalid sip messages like this:

2019-04-27T20:14:05.533554+09:00 IPX051 /usr/local/src/git/sip-router/kamailio[1732]: ERROR: <core> [parser/msg_parser.c:714]: ERROR: parse_msg: message=<[F#016sD#026Z<8D>97<F8><B5>;<A9><E7>-<D2>(<E2><F6>
v;/#021k\<CC>8<B1>λ<F4>#004M<B6><BE><EC>#035#003<94><E1>=<A0><FF><E3><AF>Kwzr<8B>A#036B<D7>#027#023cu<82>Y<D4>#037<FB><AC>S_<C4>Qg<AB><DE>F<88>I#006<8C><FA><F4>~#y3G<C7>H<80>b<BC><AD>#035<89>#002<DB><C8>#001U<9E>#007<CB><F9>nT<E5><EE><8E><F1>#0144>

At that time we manually banned the IP.

But it would be helpful to have this done automatically by fail2ban.

So I was thinking this log should include the src IP address.

I looked at the latest kamailio commit and core/parser/msg_parser.c does this log the same way so I was thinking in opening an issue for this.

But maybe this should be dealt with differently.

Any ideas?

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe: