Hey Daniel,
Thanks for so fast feedback!
No difference as far as I can tell before and after removing the record from db. I have also not disabled specifically the record inside uacreg table but completely removed it from db. I should mention that I have just upgraded to latest 4.4.1 so I should have the flags also saved in db.
Here is the record before removal: """ root@iPBXDev1:/etc/ipbxrp# kamcmd -s tcp:127.0.0.1:2046 uac.reg_dump { l_uuid: rsua1_172.16.254.101 l_username: rsua1 l_domain: 172.16.254.101 r_username: cust_sua1 r_domain: 172.16.254.102 realm: auth_username: cust_sua1 auth_password: check123 auth_proxy: sip:172.16.254.102:5060 expires: 3600 flags: 20 diff_expires: 3588 timer_expires: 1466349066 reg_init: 1466345451 reg_delay: 0 } """ and the one after: """ root@iPBXDev1:/etc/ipbxrp# kamcmd -s tcp:127.0.0.1:2046 uac.reg_dump { l_uuid: rsua1_172.16.254.101 l_username: rsua1 l_domain: 172.16.254.101 r_username: cust_sua1 r_domain: 172.16.254.102 realm: auth_username: cust_sua1 auth_password: check123 auth_proxy: sip:172.16.254.102:5060 expires: 3600 flags: 20 diff_expires: 3526 timer_expires: 1466349066 reg_init: 1466345451 reg_delay: 0 } """
Also here is the command refreshing the record (after that is not longer in db): """ POST /jsonrpc HTTP/1.1. Host: 172.16.254.101:5090. User-Agent: Go-http-client/1.1. Content-Length: 85. Content-Type: application/json. Accept-Encoding: gzip. . {"jsonrpc":"2.0","method":"uac.reg_refresh","params":["rsua1_172.16.254.101"],"id":7} # T 2016/06/19 16:17:47.275473 172.16.254.101:5090 -> 172.16.254.102:58172 [AP] HTTP/1.1 200 OK. Sia: SIP/2.0/TCP 172.16.254.102:58172. Content-Type: application/json. Server: Sipean-RP 4.3.2. Content-Length: 36. . {"jsonrpc":"2.0","result":{},"id":7} """
Ta, DanB
On 16.06.2016 12:00, sr-users-request@lists.sip-router.org wrote:
Message: 10 Date: Thu, 16 Jun 2016 08:17:53 +0200 From: Daniel-Constantin Mierla miconda@gmail.com To: "Kamailio (SER) - Users Mailing List" sr-users@lists.sip-router.org Subject: Re: [SR-Users] uac.reg_refresh not removing records from memory Message-ID: 76d9f2eb-26f7-c0db-8b74-37c93a5d3ef4@gmail.com Content-Type: text/plain; charset=utf-8 Hello, On 14/06/16 16:52, DanB wrote:
Hey Guys,
I was wondering if there is any dynamic way today to remove a single registration out of memory (and implicitly to force un-REGISTER)
Eg: I add one record using uac.reg_refresh (which works fine) but after removing the record from the database and executing uac.reg_refresh again, the record stays in memory until expire. Is there a better way to enforce un-register on remote side?
do the flags in memory of the uac_reg account show that it is disabled?
Cheers, Daniel
Hello!
How to detect several unsuccessful REGISTER attempts from the same IP?
For example: a malicious user tries to look for passwords, can I detect this in some way to black list it? As you know there are different SIP dialogs here.. I need to mention these attempts should be counted during certain period of time (e. g. 1 minute). If there were ONLY TWO attempts for 1 minute the counter need to be reset to zero.
I've read about PERMISSIONS/BLST, but they don't offer such a mechanism.
I'll be waiting for your help, guys! :-)
Kind regards, Ellad
Log error message on unsuccessful REGISTER and let fail2ban do the rest. Anyway you're running fail2ban, don't you?
On Sunday 19 June 2016 21:19:42 Яцко Эллад Геннадьевич wrote:
Hello!
How to detect several unsuccessful REGISTER attempts from the same IP?
For example: a malicious user tries to look for passwords, can I detect this in some way to black list it? As you know there are different SIP dialogs here.. I need to mention these attempts should be counted during certain period of time (e. g. 1 minute). If there were ONLY TWO attempts for 1 minute the counter need to be reset to zero.
I've read about PERMISSIONS/BLST, but they don't offer such a mechanism.
I'll be waiting for your help, guys! :-)
Kind regards, Ellad
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 19/06/16 20:19, Яцко Эллад Геннадьевич wrote:
Hello!
How to detect several unsuccessful REGISTER attempts from the same IP?
For example: a malicious user tries to look for passwords, can I detect this in some way to black list it? As you know there are different SIP dialogs here.. I need to mention these attempts should be counted during certain period of time (e. g. 1 minute). If there were ONLY TWO attempts for 1 minute the counter need to be reset to zero.
I've read about PERMISSIONS/BLST, but they don't offer such a mechanism.
I'll be waiting for your help, guys! :-)
See the example config at:
- https://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack#ddos_and_dictio...
It is for kamailio 3.1, but can be easily updated to the latest config for 4.4. The idea is to rely on htable module to keep the counter. The key has to be '$si::$au' -- the source ip and the authentication user -- or you can use $fU instead of $au. The example above is using only user id as key, so this is another change you have to do.
Cheers, Daniel
-
DanB -
Daniel-Constantin Mierla -
Sergey Okhapkin -
Яцко Эллад Геннадьевич