Brekeke SIP Server Wiki

Block List Settings

The block list setting page list the conditions of how to define a blocked IP address. Modify the following settings to create the block list feature to meet your need.

 


[General] 

Block list feature can be turned on or off, and adjust cache size.
When [Block Failed Username] is set on, the blocked failed-authentication user names will be added at [Blocked User Name] page.
When [Blocked Log] is set off, blocked activities will not be added to [Logs] > [Blocked Logs]

Item Default value Explanation
On/Off On Set Block List feature on or off
Cache Size 512
Block Failed Username Off If set to on, the IP addresses from which the SIP packets are sent with failed authentication user name will be added to Blocked IP Address database
Do not Block Local IP Address On If set to on, the packets from local IP addresses will not be blocked even the local IP addresses have been added to blocked IP Address database.
Email Alert

(v3.6 or later)

On If set to on, the emails are sent to Administrators when a new IP address meets the monitoring conditions and added to the blocked list.

 


[Attempt Tracking/Monitoring] 

You can adjust detection frequency for attacking attempts.
If the attacking attempts meet the tracking frequency setting in [Invalid Destination], [Invalid Packet], [Multiple Accesses] and [Prefix Scan] fields and are sent from the same IP address, this IP address will be added to [Blocked IP Address] page automatically.

The failed authentication user names will be added to [Blocked User Name] page automatically if the failed authentication attempts from different IP addresses are using the same failed authentication user name and meet the tracking frequency setting in the [Failed Authentication] field.

Item Default value Explanation
Failed Authentication 60 times in 259200 sec The frequency of the failed authentication activities received from the same IP address that will be added as blocked IP address
Invalid Destination 20 times in 30 sec The frequency of SIP packets with invalid destination received from the same IP address that will be added as blocked IP address
Malformed Packet 10 times in 10 sec The frequency of sending invalid SIP packets received from the same IP address that will be added as blocked IP address
Multiple Accesses 1000 times in 5 sec The frequency to access from the same IP address that will be added as blocked IP address
Prefix Scan 60 times in 60 sec The frequency to prefix scan received from the same IP address that will be added as blocked IP address
Multiple Transport Connections

(v3.4 or later)

20 times in 60 sec The frequency of requests for transport layer connections received from the same IP address that will be added as blocked IP address

 


[Notify to Other Brekeke SIP Servers] section

When this feature is set on, the blocked IP addresses in current Brekeke SIP Server [Blocked IP Address] page will be updated on the remote Brekeke SIP Server(s) located at IP(s) set in [IP addresses] field.
Multiple remote IP addresses or domanin name can be set in [IP addresses or FQDN] field, separated by comma, such as, 192.168.200.1,192.168.200.2.

The following Dial Plan rule is needed at remote Brekeke SIP Server to accept the blocked IP notification:

---------------------
[Matching Patterns]
$request = ^MANAGEMENT
$addr = <Brekeke_SIP_Server_IP>
Command = (.+)

[Deploy Patterns]
$action = %1
---------------------

Replace <Brekeke_SIP_Server_IP> with the Brekeke SIP Server IP address with [Notify to Other Brekeke SIP Servers] setup.

 

Item Default value Explanation
On/Off off Enable or disable to send notify to other Brekeke SIP Server about blocked IP addresses
IP addresses or FQDN IP addresses or FQDN of the remote Brekeke SIP Server where the NOTIFY will be sent

Multiple addresses or domain names can be set and separated by comma

 

 


[Notify to HTTP Servers] section

When this feature is set on, the blocked(unblocked) IP addresses in current Brekeke SIP Server [Blocked IP Address] page will be notified to remote HTTP server.
Any URL can be set in both [URL (Block) (*1)] field and [URL (Unblock) (*1)] field.

Item Default value Explanation
On/Off off Enable or disable to send notify to HTTP Server about blocked/unblocked IP addresses
URL (Block) (*1) URL of the remote HTTP Server where the notification will be sent when an ip address becomes blocked
URL (Unblock) (*1) URL of the remote HTTP Server where the notification will be sent when an ip address becomes unblocked

 

 


[Reverse Proxy] section

In the case a reverse proxy is located in front of the Brekeke SIP Server, in order to inform the actual source IP address to the Brekeke SIP Server, this settings are needed.

Item Default value Explanation
Reverse Proxy IP address pattern Set Reverse Proxy IP address pattern

Example:

^172\.20\.0\.1$

HTTP header for remote IP address Set HTTP header that includes actual source IP address

Example:

X-Real-IP

*The reverse proxy server needs to set an actual source ip address into the X-Real-IP header before the server forwards http requests.

Use Reverse Proxy Server >>

HTTP Header pattern If [HTTP Header pattern] is set, match the HTTP header values and use the first group (enclosed in parentheses) as the remote IP address.

If [HTTP Header pattern] is empty, use the entire HTTP header value as the remote IP address.

 

 

 

Related Links
Yes No
Suggest Edit