... and coming in 4.6... just pulled this from the test server in the lab...
[image: image.png] On Sun, Feb 5, 2012 at 8:41 AM, Robert B <[email protected]> wrote: > Keith, > > These other solutions that are being recommended are great, but I actually > found a very simple way that works "well enough" for me *so far*... > > Change your iptable rule that allows port 5060 to something like the > following: > > -A INPUT -p tcp -m tcp -m string -m hashlimit --dport 5060 -j ACCEPT > --string "REGISTER sip:" --algo bm --to 65 --hashlimit 5/second > --hashlimit-burst 10 --hashlimit-mode srcip,dstport --hashlimit-name > sip_r_limit > > It adds a simple rate limiter using source IP and destination port hash so > that no single IP can send more than five REGISTER commands per second. > This is not the be-all-end-all solution. However, in lieu of taking the > time to setup fail2ban, this should do the trick. > > -- Robert > > > > > On 2/4/2012 5:47 PM, Keith Laidlaw wrote: > > I have a working, stable sipX system (4.4.0 from ISO) with various > same-subnet phones and sipxbridge to an ITSP (Voip.ms). The entire system > is behind a port restricted NAT. All is well.**** > > ** ** > > Recently I tried to add remote workers to the mix, very carefully. The > first - and only - thing I did was port forward 5060 TCP/UDP and > 30000-31000 UDP. When I did this I experienced what I suspect is the > sipvicious problem described elsewhere in this list. Every 24 hours or so, > sipxproxy and sipxregistrar prevent phones from registering and the only > cure is to restart those two.**** > > ** ** > > My questions:**** > > ** ** > > 1) What is the best way to confirm that my problem is due to > sipvicious.**** > > 2) Is the detailed reason that sipvicious causes an irrecoverable > lockup well known?**** > > 3) Does 4.6 handle this situation better and make it into a (self) > recoverable situation?**** > > 4) Does 4.6 offer sipvicious protection to minimise this from > happening in the first place?**** > > 5) In the meantime, is pfsense my best option to block sipvicious > (and also change me to symmetric)?**** > > 6) Is there an ISO for pfsense that is appropriate for sipx? Or an > ISO with instructions for configuring for sipx?**** > > ** ** > > Any help would be appreciated.**** > > ** ** > > Keith**** > > ** ** > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- Michael Picher, Director of Technical Services eZuce, Inc. 300 Brickstone Square**** Suite 201**** Andover, MA. 01810 O.978-296-1005 X2015 M.207-956-0262 @mpicher <http://twitter.com/mpicher> www.ezuce.com ------------------------------------------------------------------------------------------------------------ Hope to see you at the sipX CoLab! http://www.sipfoundry.org/sipx-colab A gathering for - open source users, eZuce customers & eZuce partners Get the inside track on 4.6 and a glimpse at the future of sipXecs!
<<image.png>>
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
