From 171ab484428e5961c3b6a2d54db0cecd1393b9fc Mon Sep 17 00:00:00 2001 From: karl anderson Date: Sat, 7 Sep 2013 18:59:57 -0700 Subject: [PATCH] tweaks --- kamailio/default.cfg | 41 ++++++++++++++++++++++-------------- kamailio/dispatcher-role.cfg | 41 +++++++++++++++++++++++------------- kamailio/registrar-role.cfg | 4 ++-- 3 files changed, 53 insertions(+), 33 deletions(-) diff --git a/kamailio/default.cfg b/kamailio/default.cfg index fef2497..166b58e 100644 --- a/kamailio/default.cfg +++ b/kamailio/default.cfg @@ -27,7 +27,6 @@ flags #!define FLB_NATB 1 #!define FLB_NATSIPPING 2 #!define FLB_UAC_REDIRECT 3 - #!define TRUSTED_ADR_GROUP 1 ####### Global Parameters ######### @@ -188,12 +187,14 @@ include_file "nat-traversal-role.cfg" loadmodule "db_kazoo.so" #!endif +####### DB Text module ########## loadmodule "db_text.so" -loadmodule "permissions.so" modparam("db_text", "db_mode", 1) -modparam("permissions", "db_url", "text:///etc/kamailio/dbtext") -modparam("permissions", "db_mode", 1) +####### Permissions module ########## +loadmodule "permissions.so" +modparam("permissions", "db_url", "text:///etc/kazoo/kamailio/dbtext") +modparam("permissions", "db_mode", 1) ####### Routing Logic ######## route @@ -244,12 +245,13 @@ route route[SANITY_CHECK] { if (!mf_process_maxfwd_header("10")) { - xlog("L_WARN", "$ci|end|Too much hops, not enough barley"); + xlog("L_WARN", "$ci|end|too much hops, not enough barley"); send_reply("483", "Too Many Hops"); exit; } if ( msg:len > 6144 ) { + xlog("L_WARN", "$ci|end|message too large"); send_reply("513", "Message too large"); exit; } @@ -258,6 +260,13 @@ route[SANITY_CHECK] xlog("L_WARN", "$ci|end|message is insane"); exit; } + + if ($ua == "friendly-scanner" || + $ua == "sundayddr" || + $ua =~ "sipcli" ) { + xlog("L_WARN", "$ci|end|dropping message with user-agent $ua"); + exit; + } } route[HANDLE_OPTIONS] @@ -265,10 +274,8 @@ route[HANDLE_OPTIONS] if (is_method("OPTIONS")) { if (isflagset(FLAG_INTERNALLY_SOURCED)) { route(INTERNAL_TO_EXTERNAL_RELAY); - } - else - if ($rd=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") { - xlog("L_ERR", "Possible attack- Options: to $ru from $fu, UA $ua, IP $si\n"); + } else if ($rd =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") { + xlog("L_WARN", "$ci|end|dropping OPTIONS request with IP domain"); } else { sl_send_reply("200", "Rawr!!"); } @@ -285,13 +292,13 @@ route[HANDLE_MOVE_REQUEST] if ($sht(associations=>$var(contact_uri)) != $null) { $sht(associations=>$var(contact_uri)) = $null; xlog("L_INFO", "$ci|log|removed contact association for $var(contact_uri) - with media server $sht(associations=>$var(contact_uri))\n"); + with media server $sht(associations=>$var(contact_uri))"); } if ($sht(associations=>$var(from_uri)) != $null) { $sht(associations=>$var(from_uri)) = $null; xlog("L_INFO", "$ci|log|removed from association for $var(from_uri) - with media server $sht(associations=>$var(from_uri))\n"); + with media server $sht(associations=>$var(from_uri))"); } send_reply("503", "Removed association"); @@ -346,6 +353,7 @@ route[PREPARE_INITIAL_REQUESTS] t_check_trans(); if (loose_route()) { + xlog("L_WARN", "$ci|end|denying initial request with route-set"); sl_send_reply("403", "No pre-loaded routes"); exit(); } @@ -400,28 +408,29 @@ route[DOS_PREVENTION] { # allow request from internal network or from whitelist if (isflagset(FLAG_INTERNALLY_SOURCED) || allow_source_address(TRUSTED_ADR_GROUP)) { - xlog("L_DBG", "Request from trusted IP $rm $si\n"); + xlog("L_DBG", "$ci|log|request from trusted IP"); return; } # drop requests with no To domain or IP To domain (friendly-scanner) if (is_method("REGISTER|SUBSCRIBE|OPTIONS") && ($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}")) { - xlog("L_ERR", "Possible attack- wrong td: $rm to $ru from $fu, UA $ua, IP $si\n"); + xlog("L_WARN", "$ci|log|dropping request with IP domain in To header"); exit; } # drop Invite with IP auth realm if (is_method("INVITE") && is_present_hf("Proxy-Authorization") && $ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) { - xlog("L_ERR", "Possible attack- Invite realm $ar: to $ru from $fu, UA $ua, IP $si\n"); + xlog("L_WARN", "$ci|log|dropping request with IP domain in Proxy-Authorization header"); exit; } # use pike check for the others if (!pike_check_req()) { - if( $rc == -2) { - xlog("L_ERR", "DOS attack: $rm to $ru from $fu, UA $ua, IP $si\n"); + # If it is a new flood, emit a log + if($rc == -2) { + xlog("L_WARN", "$ci|log|dropping due to rate of requests from IP"); } exit; } diff --git a/kamailio/dispatcher-role.cfg b/kamailio/dispatcher-role.cfg index b9fd1fd..aa81e15 100644 --- a/kamailio/dispatcher-role.cfg +++ b/kamailio/dispatcher-role.cfg @@ -19,10 +19,21 @@ modparam("dispatcher", "ds_probing_threshhold", 3) modparam("dispatcher", "ds_probing_mode", 1) modparam("dispatcher", "ds_ping_reply_codes", "501,403,404,400,200") +## Dispatcher Groups: +## 1 - Primary media servers +## 2 - Backup media servers +## 3 - Alternate media server IPs (used only for classification) +## 10 - Presence servers (if not locally handled) +## 20 - Registrar servers (if not locally handled) + ####### Dispatcher Logic ######## route[DISPATCHER_CLASSIFY_SOURCE] { - if (ds_is_from_list("1", "1") || ds_is_from_list("3", "1")) { + if (ds_is_from_list("1", "1") || + ds_is_from_list("2", "1") || + ds_is_from_list("3", "1") || + ds_is_from_list("10", "1") || + ds_is_from_list("20", "1")) { xlog("L_INFO", "$ci|log|originated from internal sources"); setflag(FLAG_INTERNALLY_SOURCED); @@ -39,33 +50,33 @@ route[DISPATCHER_FIND_ROUTES] $du = $sht(failover=>$ci::current); return; } + + $var(ds_group) = 1; + #!ifndef PRESENCE-ROLE if (is_method("SUBSCRIBE")) { - $var(ds_group) = 20; - } else + $var(ds_group) = 10; + } + #!endif + + #!ifndef REGISTRAR-ROLE if (is_method("REGISTER")) { - $var(ds_group) = 30; - } else { - $var(ds_group) = 1; + $var(ds_group) = 20; } + #!endif if (!ds_select_dst("$var(ds_group)", "0")) { - xlog("L_ERR", "$ci|end|no servers avaliable in group $var(ds_group)"); - # if we selected from group 1, try again in group 2 - if ($var(ds_group) == 1 ) { - + if ($var(ds_group) == 1) { if (!ds_select_dst("2", "0")) { - xlog("L_ERR", "$ci|end|no servers avaliable in group 2"); + xlog("L_WARN", "$ci|end|no servers avaliable in group 1 or 2"); sl_send_reply("480", "All servers busy"); exit; } - } else { - + xlog("L_INFO", "$ci|end|no servers avaliable in group $var(ds_group)"); sl_send_reply("480", "All servers busy"); exit; - } } else { @@ -177,4 +188,4 @@ route[DISPATCHER_NEXT_ROUTE] } } -## vim:set tabstop=4 softtabstop=4 shiftwidth=4 expandtab +# vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab diff --git a/kamailio/registrar-role.cfg b/kamailio/registrar-role.cfg index 24d0697..b89055e 100644 --- a/kamailio/registrar-role.cfg +++ b/kamailio/registrar-role.cfg @@ -94,7 +94,7 @@ route[PREVENT_BRUTEFORCE] if($sht(failed_auth_hash=>$Au::count) >= 2) { $var(exp) = $Ts - 120; if($sht(failed_auth_hash=>$Au::last) > $var(exp)){ - xlog("L_ERR", "Possible password brute force, from $ct on user $Au"); + xlog("L_WARN", "$ci|log|possible password brute force, from $ct on user $Au"); return(-1); } else { $sht(failed_auth_hash=>$Au::count) = 0; @@ -103,7 +103,6 @@ route[PREVENT_BRUTEFORCE] return(1); } - #AUTH: add to failed_auth_hash in case of authentication password error route[FAILED_AUTH_COUNT] { @@ -120,6 +119,7 @@ route[DOMAIN_FORMAT_CHECK] { if ($rd =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" || $td =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3}" ) { + xlog("L_WARN", "$ci|end|denying request with IP domain in From or To header"); send_reply("403", "Forbidden"); exit; }