On Wed, Aug 14, 2019 at 08:47:02AM -0400, PICCORO McKAY Lenz wrote:
you said: " A simple SIP phone will only send a
couple of messages per
second"
so if i have that special case with dinamyc ip in clients.. who could be
better to not confuse those clients with intents of attacks?
I'm not sure what you are trying to say here.
In my setups I have a limit of 64 requests per 2s. But I also have
whitelist (with/via the permissions module) for known high traffic
ipaddresses. Dimensioning the pike module for the known high traffic
hosts kind of defeats the purpose of using pike to detect strange
unwanted traffic. The correct numbers depend on your endpoints.
if(src_ip!=myself && !allow_address("2", "$si",
"$sp"))
{
if($sht(ipban=>$si)!=$null)
{
# ip is already blocked
exit;
}
if (!pike_check_req())
{
$sht(ipban=>$si) = 1;
exit;
oh, also i put for scanners that:
if($ua =~ "friendly-scanner") {
xlog("L_ALERT", "friendly scanning incoming $rm IP:$si:$sp - R:$ruri -
F:$fu - T:$tu - UA:$ua - $rm\n");
$sht(ipban=>$si) = 1;
drop();
}
so i ban the ip where the friendly scanner are made for a while, it's that
correct?
Yes, this adds the source ip to the htable that is used to block further
requests. But my experience is that if you sent a 200 OK the scans
will stop for the older scanners. So you might want to add a
sl_send_reply("200", "OK");
before the drop.