Hello,
On 09.10.17 12:17, Mark Boyce wrote: > Hi Daniel, > > Thanks, I see tcpops lets us set the lifetime … although it’s not really the > length of the lifetime that concerns me. > > I guess I’m thinking more a SIP TCP Firewall type of system. If someone is > scanning/ddos/etc I don’t think we should be sending a response at all, > unless there’s something I’ve missed? usually is better not to send a response, especially when matching the attack first time, so it doesn't discover it is a sip server. If the attacker already knows, sometimes it helps to just send a 200 ok response, because that may make the scanning script stop, because it thinks it has discovered a good password. > We could just use fail2ban but that would mean spawning an executable or > writing each attempt to logs. That's an option used by many out there, a matter of preferences. > > Maybe I’m doing things the wrong way round but I can’t help feeling that > letting kamailio see the attempts and log stats, sources, etc is more useful > than an iptables drop? I typically do it with kamailio, as I am more familiar with. Of course, there is always the option to add a function to close a tcp connection (as alternative to setting lifetime to 1 sec), but one has to go and code it, tcpops is a good place for such addition. Cheers, Daniel > Cheers, > Mark > > >> On 9 Oct 2017, at 10:51, Daniel-Constantin Mierla <mico...@gmail.com> wrote: >> >> Hello, >> >> tcpops module offers a function to set the lifetime of a tcp connection, >> so you can set it to 1 second: >> >> -https://www.kamailio.org/docs/modules/stable/modules/tcpops.html >> >> Core offers a function to instruct closing the connection once a reply >> has been sent, but it seems you don't want to send anything back. >> >> Cheers, >> Daniel >> >> >> On 08.10.17 22:11, Mark Boyce wrote: >>> Hi all >>> >>> Just working on some connections security filters on a Kamailio install. >>> The security goes something like this; >>> >>> In REQINT … if source_ip is not in customers IP white-list then just exit >>> >>> This works fine for UDP where packets are just ignored if they don’t come >>> from a trusted IP. >>> >>> However on TCP this leads to the connection staying open until it either >>> times out or the source disconnects. Which feels untidy. >>> >>> Is there a way to say close the TCP connection from within the config >>> script? >>> >>> Thanks >>> >>> Mark >> -- >> Daniel-Constantin Mierla >> www.twitter.com/miconda -- www.linkedin.com/in/miconda >> Kamailio Advanced Training - www.asipto.com >> Kamailio World Conference - www.kamailioworld.com >> -- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - www.kamailioworld.com _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users