Академический Документы
Профессиональный Документы
Культура Документы
SIP:PROVIDER CE
COMMERCIAL PRODUCTS
Search
ABOUT
CATEGORIES
Announcements
General
Open Positions
Technical
Uncategorized
Lets go through each of those attacks and lets see how to configure your
system in order to face such situations and react against them.
We are going see, as well, how increase your security and how its easy to
integrate fail2ban with your NGCP system, in order to ban attackers IPs.
ARTICLES
October 2016
Denial of Service
August 2016
July 2016
June 2016
As soon as you have packets arriving on your NGCP server, it will require
May 2016
a bit of time of your CPU. Denial of Service attacks are aimed to break
April 2016
March 2016
February 2016
January 2016
November 2015
NGCP allow you to block such kind of attack quite easily, by configuring
October 2015
September 2015
August 2015
July 2015
security:
June 2015
dos_ban_enable: 'yes'
April 2015
dos_ban_time: 3600
March 2015
dos_reqs_density_per_unit: 50
February 2015
dos_sampling_time_unit: 2
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
April 2014
March 2014
November 2013
3624477113-19168@tedadg.testlab.local
September 2013
August 2013
June 2013
The banned IP will be stored in kamailio memory, you can check the list via
March 2013
November 2012
October 2012
September 2012
August 2012
June 2012
May 2012
April 2012
March 2012
February 2012
December 2011
May 2011
April 2011
March 2011
passwords. Always.
January 2011
Nevertheless NGCP allow you to detect and block such attacks quite
December 2010
CALENDAR
failed_auth_ban_time: 3600
NOVEMBER 2016
M
You may increase the number of failed attempt if you want (in same cases
10
11
12
13
they are not writing the right password) and adjust the ban time. If a user
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
try to authenticate an INVITE (or REGISTER) for example and it fails more
then 3 times, the user@domain (not the IP as for Denial of Service
attack) will be block for 3600 seconds.
In this case you will see in your kamailio-lb.log the following lines:
Oct
META
Log in
R=<null> ID=313793-3624525116-589163@testlab.local
Entries (RSS)
Both the banned IPs and banned users are shown in the Admin web
interface, you can check them by accessing the Security Bans section in
the main menu.
You can check the banned user as well by retrieving the same info directly
Additionally you can check the UA value from the log line, and decide to
add that User Agent to your User Agent blacklist (see Blocking User
Agent paragraph).
cp /etc/ngcpconfig/templates/etc/kamailio/lb/kamailio.tt2
/etc/ngcpconfig/templates/etc/kamailio/lb/kamailio.customtt.tt2
route
{
...
if(!sanity_check(1511, 7))
{
xlog(L_WARN, Malformed SIP message detected [% logreq_init %]\n);
exit;
}
## filtering by UA : blacklist
if( is_method(REGISTER|INVITE) && ($ua =~ friendly-scanner || $ua
=~ sipvicious || $ua =~ ^sipcli.+) )
{
xlog(L_WARN, Request rejected, malicious UA=$ua from IP=$si
[% logreq_init -%]\n);
exit;
}
after that run ngcpcfg apply.
Now NGCP will discard all the requests coming from those malicious UAs.
But you want more! You want to block their IPs using NGCP firewall. To do
that lets see how to install and configure fail2ban to work with your NGCP.
Also we need to add to the bottom of the file the [kamailio-iptable] section:
[kamailio-iptables]
enabled = true
filter = kamailio
action = iptables-allports[name=KAMAILIO, protocol=all]
logpath = /var/log/ngcp/kamailio-lb.log
maxretry = 1
bantime = 3600
[Definition]
Profile
Sign in with Twitter Sign in with Facebook
or
Name
Not published
Website
Comment
Post It
Imprint