make the auth limit more generic and fix the missing routing key

11 years ago · 12e221bce8
--- a/kamailio/antiflood-role.cfg
+++ b/kamailio/antiflood-role.cfg
@ -22,7 +22,7 @@ route[ANTIFLOOD_RATE_LIMIT]

    # use pike to control the rates
    if (!pike_check_req()) {
        xlog("L_WARN", "$ci|log|pike dropping $rm from $fu due to rate of requests with source $si:$sp");
        xlog("L_WARN", "$ci|end|dropping request from $fu due to rate of requests with source $si:$sp");
        drop();
        exit;
    }
@ -34,17 +34,25 @@ route[ANITFLOOD_AUTH_LIMIT]
        return(1);
    }

    if($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) {
    if ($Au != $null &&
        $sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
    ) {
        $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
            $sht(failed_auth_hash=>$Au::last) = $Ts;
            xlog("L_WARN", "$ci|log|ignoring erroneous endpoint registrations from $ct for $Au");
            return(-1);
            xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
            drop();
            exit;
        } else {
            $sht(failed_auth_hash=>$Au::count) = 0;
        }
    }
    return(1);
 }

 route[ANTIFLOOD_SUCCESSFUL_AUTH]
 {
    if ($Au != $null && $sht(failed_auth_hash=>$Au::count) != $null) {
        $sht(failed_auth_hash=>$Au::count) = 0;
    }
 }

 route[ANITFLOOD_FAILED_AUTH]
@ -59,4 +67,15 @@ route[ANITFLOOD_FAILED_AUTH]

    $sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1;
    $sht(failed_auth_hash=>$Au::last) = $Ts;

    xlog("L_INFO", "$ci|log|$sht(failed_auth_hash=>$Au::count) errounous authorization response for $Au $si:$sp");

   if ($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { 
        $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
            xlog("L_INFO", "$ci|end|registration forbidden $Au $si:$sp");
            send_reply("403", "Forbidden");
            exit;
        }
  }
 }
--- a/kamailio/default.cfg
+++ b/kamailio/default.cfg
@ -210,6 +210,7 @@ route

    #!ifdef ANTIFLOOD-ROLE
    route(ANTIFLOOD_RATE_LIMIT);
    route(ANITFLOOD_AUTH_LIMIT);
    #!endif

    #!ifdef TRAFFIC-FILTER-ROLE
--- a/kamailio/registrar-role.cfg
+++ b/kamailio/registrar-role.cfg
@ -56,7 +56,7 @@ route[HANDLE_REGISTER]
            route(ATTEMPT_AUTHORIZATION);
        } else {
            auth_challenge("$fd", "0");
            xlog("L_INFO", "$ci|end|issued auth challenge to new registration for $Au $si:$sp");
            xlog("L_INFO", "$ci|end|issued auth challenge to new registration for $fu $si:$sp");
            exit;
        }
    }
@ -64,16 +64,8 @@ route[HANDLE_REGISTER]

 route[ATTEMPT_AUTHORIZATION]
 {
    #!ifdef ANTIFLOOD-ROLE
    if (!route(ANITFLOOD_AUTH_LIMIT)) {
        xlog("L_WARN", "$ci|log|dropping erroneous endpoint registration for $Au $si:$sp");
        drop();
        exit;
    }
    #!endif

    if ($sht(auth_cache=>$Au) != $null) {
        xlog("L_INFO", "$ci|log|authenticating $Au via cached SIP creds");
        xlog("L_INFO", "$ci|log|authenticating $fu via cached SIP creds");
        $var(password) = $sht(auth_cache=>$Au);
    } else {
        $var(amqp_payload_request) = "{'Event-Category' : 'directory' , 'Event-Name' : 'authn_req', 'Method' : 'REGISTER', 'Auth-Realm' : '" + $fd + "', 'Auth-User' : '" + $fU + "', 'From' : '" + $fu + "', 'To' : '" + $tu +"' }";
@ -102,6 +94,10 @@ route[ATTEMPT_AUTHORIZATION]
        exit;
    }

    #!ifdef ANTIFLOOD-ROLE
    route(ANTIFLOOD_SUCCESSFUL_AUTH);
    #!endif

    if ($sht(auth_cache=>$Au) == $null) {
        xlog("L_INFO", "$ci|log|caching SIP credentials for $Au");
        $sht(auth_cache=>$Au) = $var(password);
@ -120,6 +116,11 @@ route[ATTEMPT_AUTHORIZATION]
        $var(expires) = REGISTRAR_MIN_EXPIRES;
    }

    if($var(expires) == 0) {
        xlog("L_INFO", "$ci|end|unregister request from $Au $si:$sp");
        exit;
    }

    if($(proto{s.tolower}) == "udp" || $(proto{s.tolower}) == "tcp" || $(proto{s.tolower}) == "tls") {
        $var(return_port) = $Rp;
    } else {
@ -140,16 +141,11 @@ route[ATTEMPT_AUTHORIZATION]
        $var(fs_contact) = "<sip:" + $(ct{tobody.user}) + "@" + $si + ":" + $sp + ";transport=" + $proto + ";" + $var(params) + ">";
    }

    if ($avp(AVP_RECV_PARAM) == $null) {
        $var(fs_contact) = "<" + $(ct{tobody.uri}) + ";" + $var(params) + ">";
    } else {
        $var(fs_contact) = "<sip:" + $(ct{tobody.user}) + "@" + $si + ":" + $sp + ";transport=" + $proto + ";" + $var(params) + ">";
    }

    $var(register_contants) = ' "Presence-Hosts" : "n/a", "Profile-Name" : "sipinterface_1", "Status" : "Registered", "Event-Timestamp" : "' + $TS + '", "Expires" : ' + $var(expires);

    $var(amqp_payload_request) = '{"Event-Category" : "directory", "Event-Name" : "reg_success", "Contact" : "' + $var(fs_contact) + '", "Call-ID" : "' + $ci + '", "Realm" : "' + $fd + '", "Username" : "' + $fU + '", "From-User" : "' + $fU + '", "From-Host" : "' + $fd + '", "To-User" : "' + $tU + '", "To-Host" : "' + $td + '", "User-Agent" : "' + $ua + '" ,' + $var(register_contants) + ' }';

    $var(amqp_routing_key) = "registration.success." + $(fd{kz.encode}) + "." + $fU;

    kazoo_publish("callmgr", $var(amqp_routing_key), $var(amqp_payload_request));

--- a/kamailio/traffic-filter-role.cfg
+++ b/kamailio/traffic-filter-role.cfg
@ -31,7 +31,7 @@ route[FILTER_AUTHORIZATION_DOMAIN]
 {
    if (is_present_hf("Proxy-Authorization") &&
      $ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) {
        xlog("L_WARN", "$ci|log|dropping request with IP domain in Proxy-Authorization header");
        xlog("L_WARN", "$ci|end|dropping request with IP domain in Proxy-Authorization header");
        drop();
        exit;
    }