4PSA Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Wikid

Saved on

compared with

New Version Current

changes.mady.by.user Wikid

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated using 4PSA automated script

...

Note

Applies to VoipNow 4.0.0x and higher!

VoipNow 4.0.0 comes packed with an application layer firewall at the SIP level called Pike. Pike is not a programming language. It's a module implemented in Kamailio that keeps track of all incoming requests, logging the source IP address for requests exceeding limits.

This module was not implemented for the purpose of blocking IP addresses when limits are exceeded. It's better not to rely only on Kamailio to block such IP addresses.

Pike also . It simply reports abnormal traffic coming from different sources, allowing the system administrator to decide , via a script, what measures to take using a script.

Step-by-step guide

Pike is enabled disabled by default, but it you can be easily disabled enable it by switching SIP_ANTIABUSE 0  in 1 in /etc/voipnow/local.conf and then restart restarting Kamailio:.

Code Block
# Disable/Enable/Disable theSIP pike module
#!define ENABLE_PIKEantiabuse (0/1)
SIP_ANTIABUSE 1

Pike has Pike contains three different trees and each of them tries to detect signs of abnormal activity within a certain period of time.

  1. Level 1 IP tree detects more than 10 300 auth requests requests per 3010-second sampling unit.

    Code Block
    modparam("pike", "ip_tree", "l1_tree=>sampling_time_unit=3010;reqs_density_per_unit=10300;remove_latency=120")


  2. Level 2 IP tree detects more than 5 failed auth requests per minute. auth requests per 30-second sampling unit.

    Code Block
    modparam("pike", "ip_tree", "l2_tree=>sampling_time_unit=6030;reqs_density_per_unit=5;remove_latency=240")


  3. Level 3 IP tree detects more than 30 failed auth requests per 30 minutes 10-minute sampling unit.

    Code Block
    modparam("pike", "ip_tree", "l3_tree=>sampling_time_unit=1800600;reqs_density_per_unit=30;remove_latency=1800")


  4. Level 4 IP tree detects more than 20 failed auth requests per 5-minute sampling unit.

    Code Block
    modparam("pike", "ip_tree", "l4_tree=>sampling_time_unit=300;reqs_density_per_unit=20;remove_latency=1200")


Here's what each parameter means: 

...

Content by Label
labels
showLabelsfalse
max5
showSpacefalse
sortmodified
showSpacefalse
reversetrue
typepagekb-how-to-article
cqllabel in ("pike","kamailio","traffic","ip","abnormal") and space = currentSpace()
labels = "kb-how-to-article" and type = "page"

...

hiddentrue

...

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 4.0 International.