The SIP firewall can assist you in detecting failed SIP connections to the SBC.
- The general concept is the SIP firewall is made up of rules that will either Log or Block the offender exceeding the failed attempts.
- These rules can be targeted towards every IP and User Agent, or only certain User Agents or IPs.
- As well, these rules can be associated with all SIP profiles or certain SIP profiles.
SIP Firewall Configuration
To start the configuration go to Configuration->Security->SIP Firewall then
- click Add to add rule in the SIP Security Monitor – Rules section.
- Specify the name for the new rule, then click Add.
The rule below will look for any single source IP exceeding 20 failed attempts over 10 minutes.
- If a certain IP exceeds this then it will be blocked.
- The Action Parameter is set to 0 so this will block the host forever,
- if you would like the host to be blocked for 15 minutes set the Action Parameter to 15.
If you want to keep all blocked users in your own 3rd party firewall youcanlet the SBC block the IPs then check the status of the blocked users as shown below.
Or you can write to the log file and have a utility which checks the NSC logs for these entries and act on this.
The log file is /var/log/sipsecmon.log on the unit or in the WebUI go to Reports->System->NSCLogs then click on SIP Security Monitor.
SIP Firewall Logging
- To configure the log level click Edit under the SIP Security Monitor Configuration.
- On the next page the Log Level can be set to Info or Debug, once set, click save to exit.
- To apply the changes click to Configuration top tool bar, then click Reload.
SIP Firewall Status
To get the status of blocked IPs on the SBC go to Overview->Security->SIP Firewall Status and the list of blocked IPs will be there.