Block Persistent Suspicious Behaviour

[benbullnz]

Which version are you using?

v0.13.1

Enhancement request

Would it be possible to add a method to blacklist IP's who are engaging in persistent suspicious behaviour?
Hopefully this would work in much in the same way that it does for ReadIP's, where we could blacklist IP's who are continually becoming a problem. I am unable to utilise readIP's effectively at the moment as my streams need to be served to the internet and therefore a variety of addresses.

Maybe you could add a BlacklistIP's for "all" and each stream name, which the server admin can update manually as offenders are identified via the logs.

Further to this, the V1 spec does mention:

Persistently suspicious behavior:
RTSP servers SHOULD return error code 403 (Forbidden) upon
receiving a single instance of behavior which is deemed a
security risk. RTSP servers SHOULD also be aware of attempts
to probe the server for weaknesses and entry points and MAY
arbitrarily disconnect and ignore further requests clients
which are deemed to be in violation of local security policy.

Is there something that can be done programatically to identify invalid requests and have the offenders automatically added into the blacklist?

Thanks

[benbullnz]

Attached is only a few examples of offenders identified in one of my logs recently.

Nefarious RTSS.txt

Thanks

[aler9]

In my opinion, a solution should be as similar as possible as the one already used with HTTP servers:

• the server should mitigate suspicious requests, by using disconnections and waitings, but it shouldn't ban IPs unless explicitly told to do so
• fail2ban can be deployed to analyze log lines and ban attackers

The second solution can be used immediately, it's enough to install fail2ban and add a configuration and filter that reads from the server's logs.