22 Jun
2016
22 Jun
'16
1:33 a.m.
On 19/06/16 20:19, Яцко Эллад Геннадьевич wrote:
Hello!
How to detect several unsuccessful REGISTER attempts from the same IP?
For example: a malicious user tries to look for passwords, can I detect
this in some way to black list it? As you know there are different SIP
dialogs here.. I need to mention these attempts should be counted
during certain period of time (e. g. 1 minute). If there were ONLY TWO
attempts for 1 minute the counter need to be reset to zero.
I've read about PERMISSIONS/BLST, but they don't offer such a mechanism.
I'll be waiting for your help, guys! :-)
See the example config at:
-
https://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack#ddos_and_dicti…
It is for kamailio 3.1, but can be easily updated to the latest config
for 4.4. The idea is to rely on htable module to keep the counter. The
key has to be '$si::$au' -- the source ip and the authentication user --
or you can use $fU instead of $au. The example above is using only user
id as key, so this is another change you have to do.
Cheers,
Daniel
--
Daniel-Constantin Mierla
http://www.asipto.com - http://www.kamailio.org
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda