4 Nov
2024
4 Nov
'24
10:30 a.m.
I gave APIBAN a try. After a few days, no requests were banned by
APIBAN, but during the same period, lots of request were banned by other
checks in my config. That made me wonder if APIBAN really is effective.
-- Juha
4 Nov
4 Nov
3:08 p.m.
New subject: Dealing with flood of invalid SIP messages
Use may vary ;)
On a targeted attack, APIBAN won’t help. You will see some benefits from iptables-api
which will block your discovered traffic in iptables and helping reduce kamailio cpu.
-- Fred Posner
Phone: +1 (352) 664-3733
https://fredoso.com
(Sent from mobile. Please excuse typos/autocorrect)
On Nov 4, 2024, at 2:42 AM, Juha Heinanen via sr-users
<sr-users(a)lists.kamailio.org> wrote:
I gave APIBAN a try. After a few days, no requests were banned by
APIBAN, but during the same period, lots of request were banned by other
checks in my config. That made me wonder if APIBAN really is effective.
-- Juha
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
3:20 p.m.
New subject: Dealing with flood of invalid SIP messages
Fred Posner writes:
On a targeted attack, APIBAN won’t help. You will see
some benefits
from iptables-api which will block your discovered traffic in iptables
and helping reduce kamailio cpu.
I'm blocking attacks by fail2ban. My APIBAN test would generate syslog
message for fail2ban, but none has been generated. It means that among
the numerous attacks that my SIP proxy blocked by fail2ban, not a single
one was detected by APIBAN. It means that APIBAN was not aware of the
IP addresses of the attackers.
-- Juha
5:08 p.m.
New subject: Dealing with flood of invalid SIP messages
If you want to share any of the ip’s that you have blocked I will gladly look into it.
APIBAN runs honeypots around the world. There’s generally an active list of 1,000 SIP and
2500 HTTP addresses at any time (IPs are active for 7 days and then can be “re-activated”
when more traffic is seen).
I’d gladly help to see if you’ve implemented APIBAN in a solid way and/or if you have IPs
we’re not seeing, looking at deploying a honeypot in that area.
Regards,
Fred Posner
On Nov 4, 2024, at 7:20 AM, Juha Heinanen via sr-users
<sr-users(a)lists.kamailio.org> wrote:
Fred Posner writes:
On a targeted attack, APIBAN won’t help. You will
see some benefits
from iptables-api which will block your discovered traffic in iptables
and helping reduce kamailio cpu.
I'm blocking attacks by fail2ban. My APIBAN test would generate syslog
message for fail2ban, but none has been generated. It means that among
the numerous attacks that my SIP proxy blocked by fail2ban, not a single
one was detected by APIBAN. It means that APIBAN was not aware of the
IP addresses of the attackers.
-- Juha
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
21
days inactive
21
days old
3 comments
2 participants
participants (2)
-
Fred Posner -
Juha Heinanen