19 Jun
2016
19 Jun
'16
5:20 p.m.
Hey Daniel,
Thanks for so fast feedback!
No difference as far as I can tell before and after removing the record
from db. I have also not disabled specifically the record inside uacreg
table but completely removed it from db.
I should mention that I have just upgraded to latest 4.4.1 so I should
have the flags also saved in db.
Here is the record before removal:
"""
root@iPBXDev1:/etc/ipbxrp# kamcmd -s tcp:127.0.0.1:2046 uac.reg_dump
{
l_uuid: rsua1_172.16.254.101
l_username: rsua1
l_domain: 172.16.254.101
r_username: cust_sua1
r_domain: 172.16.254.102
realm:
auth_username: cust_sua1
auth_password: check123
auth_proxy: sip:172.16.254.102:5060
expires: 3600
flags: 20
diff_expires: 3588
timer_expires: 1466349066
reg_init: 1466345451
reg_delay: 0
}
"""
and the one after:
"""
root@iPBXDev1:/etc/ipbxrp# kamcmd -s tcp:127.0.0.1:2046 uac.reg_dump
{
l_uuid: rsua1_172.16.254.101
l_username: rsua1
l_domain: 172.16.254.101
r_username: cust_sua1
r_domain: 172.16.254.102
realm:
auth_username: cust_sua1
auth_password: check123
auth_proxy: sip:172.16.254.102:5060
expires: 3600
flags: 20
diff_expires: 3526
timer_expires: 1466349066
reg_init: 1466345451
reg_delay: 0
}
"""
Also here is the command refreshing the record (after that is not longer
in db):
"""
POST /jsonrpc HTTP/1.1.
Host: 172.16.254.101:5090.
User-Agent: Go-http-client/1.1.
Content-Length: 85.
Content-Type: application/json.
Accept-Encoding: gzip.
.
{"jsonrpc":"2.0","method":"uac.reg_refresh","params":["rsua1_172.16.254.101"],"id":7}
#
T 2016/06/19 16:17:47.275473 172.16.254.101:5090 -> 172.16.254.102:58172
[AP]
HTTP/1.1 200 OK.
Sia: SIP/2.0/TCP 172.16.254.102:58172.
Content-Type: application/json.
Server: Sipean-RP 4.3.2.
Content-Length: 36.
.
{"jsonrpc":"2.0","result":{},"id":7}
"""
Ta,
DanB
On 16.06.2016 12:00, sr-users-request(a)lists.sip-router.org wrote:
Message: 10 Date: Thu, 16 Jun 2016 08:17:53 +0200
From:
Daniel-Constantin Mierla <miconda(a)gmail.com> To: "Kamailio (SER) -
Users Mailing List" <sr-users(a)lists.sip-router.org> Subject: Re:
[SR-Users] uac.reg_refresh not removing records from memory
Message-ID: <76d9f2eb-26f7-c0db-8b74-37c93a5d3ef4(a)gmail.com>
Content-Type: text/plain; charset=utf-8 Hello, On 14/06/16 16:52, DanB
wrote:
>
>Hey Guys,
>
>I was wondering if there is any dynamic way today to remove a single
>registration out of memory (and implicitly to force un-REGISTER)
>
>Eg: I add one record using uac.reg_refresh (which works fine) but after
>removing the record from the database and executing uac.reg_refresh
>again, the record stays in memory until expire.
>Is there a better way to enforce un-register on remote side?
>
do the flags in memory of the uac_reg account show that it is disabled?
Cheers,
Daniel 
19 Jun
19 Jun
9:19 p.m.
New subject: [KAMAILIO]: How to count three or more invalid REGISTERs from the same IP-address
Hello!
How to detect several unsuccessful REGISTER attempts from the same IP?
For example: a malicious user tries to look for passwords, can I detect
this in some way to black list it? As you know there are different SIP
dialogs here.. I need to mention these attempts should be counted
during certain period of time (e. g. 1 minute). If there were ONLY TWO
attempts for 1 minute the counter need to be reset to zero.
I've read about PERMISSIONS/BLST, but they don't offer such a mechanism.
I'll be waiting for your help, guys! :-)
Kind regards,
Ellad
9:22 p.m.
New subject: [KAMAILIO]: How to count three or more invalid REGISTERs from the same IP-address
Log error message on unsuccessful REGISTER and let fail2ban do the rest.
Anyway you're running fail2ban, don't you?
On Sunday 19 June 2016 21:19:42 Яцко Эллад Геннадьевич wrote:
Hello!
How to detect several unsuccessful REGISTER attempts from the same IP?
For example: a malicious user tries to look for passwords, can I detect
this in some way to black list it? As you know there are different SIP
dialogs here.. I need to mention these attempts should be counted
during certain period of time (e. g. 1 minute). If there were ONLY TWO
attempts for 1 minute the counter need to be reset to zero.
I've read about PERMISSIONS/BLST, but they don't offer such a mechanism.
I'll be waiting for your help, guys! :-)
Kind regards,
Ellad
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
22 Jun
22 Jun
8:33 a.m.
New subject: [KAMAILIO]: How to count three or more invalid REGISTERs from the same IP-address
On 19/06/16 20:19, Яцко Эллад Геннадьевич wrote:
Hello!
How to detect several unsuccessful REGISTER attempts from the same IP?
For example: a malicious user tries to look for passwords, can I detect
this in some way to black list it? As you know there are different SIP
dialogs here.. I need to mention these attempts should be counted
during certain period of time (e. g. 1 minute). If there were ONLY TWO
attempts for 1 minute the counter need to be reset to zero.
I've read about PERMISSIONS/BLST, but they don't offer such a mechanism.
I'll be waiting for your help, guys! :-)
See the example config at:
-
https://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack#ddos_and_dicti…
It is for kamailio 3.1, but can be easily updated to the latest config
for 4.4. The idea is to rely on htable module to keep the counter. The
key has to be '$si::$au' -- the source ip and the authentication user --
or you can use $fU instead of $au. The example above is using only user
id as key, so this is another change you have to do.
Cheers,
Daniel
--
Daniel-Constantin Mierla
http://www.asipto.com - http://www.kamailio.org
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
3075
days inactive
3078
days old
3 comments
4 participants
participants (4)
-
DanB -
Daniel-Constantin Mierla -
Sergey Okhapkin -
Яцко Эллад Геннадьевич