APIBAN Integration
APIBAN is a free service that helps prevent unwanted SIP traffic by identifying addresses of known bad actors. The suspicious IP addresses are collected through globally deployed honeypots and curated by APIBAN. While the VSXi DDoS feature will identify any intruding IPs and block them dynamically, the APIBAN dataset can be used as a blacklist of IPs with to ignore/block unwanted traffic.
The VSXi integration consists in using SMC Profile with Data File to store a local copy of APIBANs IP dataset.
The SMC Profile must be applied at the Service Port level. In doing any packet that matches a suspicious IP is dropped immediately.
{
"ProfileID": 103,
"ProfileName": "APIBAN Integration",
"Rules": [
{
"MsgType": "REQUEST",
"ReqMethod": "REGISTER,INVITE",
"StoredVariables": [
{
"VariableName": "{$SIP.RemoteIP}",
"Porting": "IMPORT"
}
],
"Action": "REPLACE_MSG",
"ReplaceDefs":[
{
"ReplaceType": "ADD_LINE",
"Header": "From:",
"HeaderAttr": "HEADER_SECTION_ONLY",
"Output": "RemoteIP: {$SIP.RemoteIP}"
}
]
},
{
"MsgType": "REQUEST",
"ReqMethod": "REGISTER,INVITE",
"DataFile": "APIBAN.csv",
"DataFileBSearchIndex": 1,
"LogicalConjunction": "OR",
"Conditions": [
{
"Header": "RemoteIP:",
"HeaderAttr": "HEADER_SECTION_ONLY",
"RegEx1": "[0-9]+.[0-9]+.[0-9]+.[0-9]+",
"Operator": "BSEARCH_EQ"
}
],
"Action": "DROP_MSG_RECORD"
},
{
"MsgType": "REQUEST",
"ReqMethod": "REGISTER,INVITE",
"Conditions": [
{
"Header": "RemoteIP:",
"HeaderAttr": "HEADER_SECTION_ONLY",
"Operator": "NEQ",
"RightOperand":""
}
],
"Action": "REPLACE_MSG",
"ReplaceDefs":[
{
"ReplaceType": "DELETE_LINES",
"Header": "RemoteIP:",
"HeaderAttr": "HEADER_SECTION_ONLY"
}
]
}
]
}
The BADIPS.csv SMC Data File can be updated via VSXi's REST API. Here's a sample code. This script can be run internally (on the VSXi) or externally.
#!/bin/bash
# Integration with APIBAN and VSXi.
# Version 2.0 June 2024. Author: support@sansay.com
# Usage apiban-to-vsxi.sh $host $user $password
# API parameters
API_URL="https://apiban.org/api/get"
AUTH_TOKEN=`cat .apikey`
CONTENT_TYPE="application/json"
SET="all"
MAX_ENTRIES=250
ZIP_FILE="smc_data.zip"
# File to save the ID
ID_FILE="last_id.txt"
# Initialize ID from file or default
if [ -f "$ID_FILE" ]; then
ID=$(cat "$ID_FILE")
else
ID="7894354"
fi
# CSV file to store IP addresses
CSV_FILE="APIBAN.csv"
# Initialize the CSV file
echo "ipaddress" > "$CSV_FILE"
# Function to get IPs
get_ips() {
curl -s "$API_URL" \
-X POST \
-H "Authorization: Bearer $AUTH_TOKEN" \
-H "Content-Type: $CONTENT_TYPE" \
-d "{\"set\":\"$SET\", \"id\":\"$ID\"}"
}
while true; do
RESPONSE=$(get_ips)
# Debugging: Output the entire response
echo "Response: $RESPONSE"
IP_COUNT=$(echo "$RESPONSE" | jq '.ipaddress | length')
echo "Retrieved $IP_COUNT IPs"
# Debugging: Check if the IP addresses array exists
IP_ADDRESSES=$(echo "$RESPONSE" | jq '.ipaddress // empty')
if [ -z "$IP_ADDRESSES" ]; then
echo "No IP addresses found in the response."
break
fi
# Append IP addresses to CSV file
echo "$IP_ADDRESSES" | jq -r '.[]' >> "$CSV_FILE"
if [ "$IP_COUNT" -lt "$MAX_ENTRIES" ]; then
echo "Less than $MAX_ENTRIES IPs, ending loop."
break
fi
# Update ID for the next request and save to file
ID=$(echo "$RESPONSE" | jq -r '.ID')
echo "$ID" > "$ID_FILE"
done
echo "All IPs retrieved and saved to $CSV_FILE."
# After having the CSV file of all IPs create an SMC Data File
# ZIP contents as required by the API
zip $ZIP_FILE $CSV_FILE
# Now upload the output file to VSXi SMC Data File
curl -k -X POST -T $ZIP_FILE -u "$2":"$3" "https://$1:8888/SSConfig/webresources/replaceLarge/smcDataFile