tweaks

kamailio/default.cfg

@@ -27,7 +27,6 @@ flags
 #!define FLB_NATB 1
 #!define FLB_NATSIPPING 2
 #!define FLB_UAC_REDIRECT 3
-
 #!define TRUSTED_ADR_GROUP 1
 
 ####### Global Parameters #########
@@ -188,12 +187,14 @@ include_file "nat-traversal-role.cfg"
 loadmodule "db_kazoo.so"
 #!endif
 
+####### DB Text module ##########
 loadmodule "db_text.so"
-loadmodule "permissions.so"
 modparam("db_text", "db_mode", 1)
-modparam("permissions", "db_url", "text:///etc/kamailio/dbtext")
-modparam("permissions", "db_mode", 1)
 
+####### Permissions module ##########
+loadmodule "permissions.so"
+modparam("permissions", "db_url", "text:///etc/kazoo/kamailio/dbtext")
+modparam("permissions", "db_mode", 1)
 
 ####### Routing Logic ########
 route
@@ -244,12 +245,13 @@ route
 route[SANITY_CHECK] 
 {
     if (!mf_process_maxfwd_header("10")) {
-        xlog("L_WARN", "$ci|end|Too much hops, not enough barley");
+        xlog("L_WARN", "$ci|end|too much hops, not enough barley");
         send_reply("483", "Too Many Hops");
         exit;
     }
 
     if ( msg:len > 6144 ) {
+        xlog("L_WARN", "$ci|end|message too large");
         send_reply("513", "Message too large");
         exit;
     }
@@ -258,6 +260,13 @@ route[SANITY_CHECK]
         xlog("L_WARN", "$ci|end|message is insane");
         exit;
     }
+
+    if ($ua == "friendly-scanner" ||
+        $ua == "sundayddr" ||
+        $ua =~ "sipcli" ) {
+        xlog("L_WARN", "$ci|end|dropping message with user-agent $ua");
+        exit;
+    }
 }
 
 route[HANDLE_OPTIONS] 
@@ -265,10 +274,8 @@ route[HANDLE_OPTIONS]
     if (is_method("OPTIONS")) {
         if (isflagset(FLAG_INTERNALLY_SOURCED)) {
             route(INTERNAL_TO_EXTERNAL_RELAY);
-        }
-        else 
-        if ($rd=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
-            xlog("L_ERR", "Possible attack- Options: to $ru from $fu, UA $ua, IP $si\n");
+        } else if ($rd =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
+            xlog("L_WARN", "$ci|end|dropping OPTIONS request with IP domain");
         } else {
             sl_send_reply("200", "Rawr!!");
         }
@@ -285,13 +292,13 @@ route[HANDLE_MOVE_REQUEST]
         if ($sht(associations=>$var(contact_uri)) != $null) {
             $sht(associations=>$var(contact_uri)) = $null;
             xlog("L_INFO", "$ci|log|removed contact association for $var(contact_uri)
-              with media server $sht(associations=>$var(contact_uri))\n");
+              with media server $sht(associations=>$var(contact_uri))");
         }
 
         if ($sht(associations=>$var(from_uri)) != $null) {
             $sht(associations=>$var(from_uri)) = $null;
             xlog("L_INFO", "$ci|log|removed from association for $var(from_uri)
-              with media server $sht(associations=>$var(from_uri))\n");
+              with media server $sht(associations=>$var(from_uri))");
         }
 
         send_reply("503", "Removed association");
@@ -346,6 +353,7 @@ route[PREPARE_INITIAL_REQUESTS]
     t_check_trans();
 
     if (loose_route()) {
+        xlog("L_WARN", "$ci|end|denying initial request with route-set");
         sl_send_reply("403", "No pre-loaded routes");
         exit();
     }
@@ -400,28 +408,29 @@ route[DOS_PREVENTION]
 {
     # allow request from internal network or from whitelist
     if (isflagset(FLAG_INTERNALLY_SOURCED) || allow_source_address(TRUSTED_ADR_GROUP)) {
-        xlog("L_DBG", "Request from trusted IP $rm $si\n");
+        xlog("L_DBG", "$ci|log|request from trusted IP");
         return;
     }
 
     #  drop requests with no To domain or IP To domain (friendly-scanner)
     if (is_method("REGISTER|SUBSCRIBE|OPTIONS") && 
         ($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}")) {
-        xlog("L_ERR", "Possible attack- wrong td: $rm to $ru from $fu, UA $ua, IP $si\n");
+        xlog("L_WARN", "$ci|log|dropping request with IP domain in To header");
         exit;
     }
 
     # drop Invite with IP auth realm
     if (is_method("INVITE") && is_present_hf("Proxy-Authorization") && 
         $ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) {
-        xlog("L_ERR", "Possible attack- Invite realm $ar: to $ru from $fu, UA $ua, IP $si\n");
+        xlog("L_WARN", "$ci|log|dropping request with IP domain in Proxy-Authorization header");
         exit;
     }
 
     # use pike check for the others
     if (!pike_check_req()) {
-        if( $rc == -2) {
-            xlog("L_ERR", "DOS attack: $rm to $ru from $fu, UA $ua, IP $si\n");
+        # If it is a new flood, emit a log
+        if($rc == -2) {
+            xlog("L_WARN", "$ci|log|dropping due to rate of requests from IP");
         }
         exit;
     }

kamailio/dispatcher-role.cfg

@@ -19,10 +19,21 @@ modparam("dispatcher", "ds_probing_threshhold", 3)
 modparam("dispatcher", "ds_probing_mode", 1)
 modparam("dispatcher", "ds_ping_reply_codes", "501,403,404,400,200")
 
+## Dispatcher Groups:
+## 1 - Primary media servers
+## 2 - Backup media servers
+## 3 - Alternate media server IPs (used only for classification)
+## 10 - Presence servers (if not locally handled)
+## 20 - Registrar servers (if not locally handled)
+
 ####### Dispatcher Logic ########
 route[DISPATCHER_CLASSIFY_SOURCE]
 {
-    if (ds_is_from_list("1", "1") || ds_is_from_list("3", "1")) {
+    if (ds_is_from_list("1", "1") ||
+		ds_is_from_list("2", "1") ||
+		ds_is_from_list("3", "1") ||
+		ds_is_from_list("10", "1") ||
+		ds_is_from_list("20", "1")) {
         xlog("L_INFO", "$ci|log|originated from internal sources");
 
         setflag(FLAG_INTERNALLY_SOURCED);
@@ -39,33 +50,33 @@ route[DISPATCHER_FIND_ROUTES]
         $du = $sht(failover=>$ci::current);
         return;
     }
+        
+    $var(ds_group) = 1;
 
+    #!ifndef PRESENCE-ROLE
     if (is_method("SUBSCRIBE")) {
-        $var(ds_group) = 20;
-    } else
+        $var(ds_group) = 10;
+    }
+    #!endif
+
+    #!ifndef REGISTRAR-ROLE
     if (is_method("REGISTER")) {
-        $var(ds_group) = 30;
-    } else {
-        $var(ds_group) = 1;
+        $var(ds_group) = 20;
     }
+    #!endif
 
     if (!ds_select_dst("$var(ds_group)", "0")) {
-        xlog("L_ERR", "$ci|end|no servers avaliable in group $var(ds_group)");
-
         # if we selected from group 1, try again in group 2
-        if ($var(ds_group) == 1 ) {
-
+        if ($var(ds_group) == 1) {
                 if (!ds_select_dst("2", "0")) {
-                    xlog("L_ERR", "$ci|end|no servers avaliable in group 2");
+                    xlog("L_WARN", "$ci|end|no servers avaliable in group 1 or 2");
                     sl_send_reply("480", "All servers busy");
                     exit;
                 }
-
         } else {
-
+            xlog("L_INFO", "$ci|end|no servers avaliable in group $var(ds_group)");
             sl_send_reply("480", "All servers busy");
             exit;
-
         }
     } else {
 
@@ -177,4 +188,4 @@ route[DISPATCHER_NEXT_ROUTE]
     }
 }
 
-## vim:set tabstop=4 softtabstop=4 shiftwidth=4 expandtab
+# vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab

kamailio/registrar-role.cfg

@@ -94,7 +94,7 @@ route[PREVENT_BRUTEFORCE]
     if($sht(failed_auth_hash=>$Au::count) >= 2) {
         $var(exp) = $Ts - 120;
         if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
-            xlog("L_ERR", "Possible password brute force, from $ct on user $Au");
+            xlog("L_WARN", "$ci|log|possible password brute force, from $ct on user $Au");
             return(-1);
         } else {
             $sht(failed_auth_hash=>$Au::count) = 0;
@@ -103,7 +103,6 @@ route[PREVENT_BRUTEFORCE]
     return(1);
 }
 
-
 #AUTH: add to failed_auth_hash in case of authentication password error
 route[FAILED_AUTH_COUNT]
 {
@@ -120,6 +119,7 @@ route[DOMAIN_FORMAT_CHECK]
 {
     if ($rd =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" ||
         $td =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3}" ) {
+        xlog("L_WARN", "$ci|end|denying request with IP domain in From or To header");
         send_reply("403", "Forbidden");
         exit;
     }