tweaks

12 years ago · 171ab48442
--- a/kamailio/default.cfg
+++ b/kamailio/default.cfg
@ -27,7 +27,6 @@ flags
 #!define FLB_NATB 1
 #!define FLB_NATSIPPING 2
 #!define FLB_UAC_REDIRECT 3

 #!define TRUSTED_ADR_GROUP 1

 ####### Global Parameters #########
@ -188,12 +187,14 @@ include_file "nat-traversal-role.cfg"
 loadmodule "db_kazoo.so"
 #!endif

 ####### DB Text module ##########
 loadmodule "db_text.so"
 loadmodule "permissions.so"
 modparam("db_text", "db_mode", 1)
 modparam("permissions", "db_url", "text:///etc/kamailio/dbtext")
 modparam("permissions", "db_mode", 1)

 ####### Permissions module ##########
 loadmodule "permissions.so"
 modparam("permissions", "db_url", "text:///etc/kazoo/kamailio/dbtext")
 modparam("permissions", "db_mode", 1)

 ####### Routing Logic ########
 route
@ -244,12 +245,13 @@ route
 route[SANITY_CHECK] 
 {
    if (!mf_process_maxfwd_header("10")) {
        xlog("L_WARN", "$ci|end|Too much hops, not enough barley");
        xlog("L_WARN", "$ci|end|too much hops, not enough barley");
        send_reply("483", "Too Many Hops");
        exit;
    }

    if ( msg:len > 6144 ) {
        xlog("L_WARN", "$ci|end|message too large");
        send_reply("513", "Message too large");
        exit;
    }
@ -258,6 +260,13 @@ route[SANITY_CHECK]
        xlog("L_WARN", "$ci|end|message is insane");
        exit;
    }

    if ($ua == "friendly-scanner" ||
        $ua == "sundayddr" ||
        $ua =~ "sipcli" ) {
        xlog("L_WARN", "$ci|end|dropping message with user-agent $ua");
        exit;
    }
 }

 route[HANDLE_OPTIONS] 
@ -265,10 +274,8 @@ route[HANDLE_OPTIONS]
    if (is_method("OPTIONS")) {
        if (isflagset(FLAG_INTERNALLY_SOURCED)) {
            route(INTERNAL_TO_EXTERNAL_RELAY);
        }
        else 
        if ($rd=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
            xlog("L_ERR", "Possible attack- Options: to $ru from $fu, UA $ua, IP $si\n");
        } else if ($rd =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
            xlog("L_WARN", "$ci|end|dropping OPTIONS request with IP domain");
        } else {
            sl_send_reply("200", "Rawr!!");
        }
@ -285,13 +292,13 @@ route[HANDLE_MOVE_REQUEST]
        if ($sht(associations=>$var(contact_uri)) != $null) {
            $sht(associations=>$var(contact_uri)) = $null;
            xlog("L_INFO", "$ci|log|removed contact association for $var(contact_uri)
              with media server $sht(associations=>$var(contact_uri))\n");
              with media server $sht(associations=>$var(contact_uri))");
        }

        if ($sht(associations=>$var(from_uri)) != $null) {
            $sht(associations=>$var(from_uri)) = $null;
            xlog("L_INFO", "$ci|log|removed from association for $var(from_uri)
              with media server $sht(associations=>$var(from_uri))\n");
              with media server $sht(associations=>$var(from_uri))");
        }

        send_reply("503", "Removed association");
@ -346,6 +353,7 @@ route[PREPARE_INITIAL_REQUESTS]
    t_check_trans();

    if (loose_route()) {
        xlog("L_WARN", "$ci|end|denying initial request with route-set");
        sl_send_reply("403", "No pre-loaded routes");
        exit();
    }
@ -400,28 +408,29 @@ route[DOS_PREVENTION]
 {
    # allow request from internal network or from whitelist
    if (isflagset(FLAG_INTERNALLY_SOURCED) || allow_source_address(TRUSTED_ADR_GROUP)) {
        xlog("L_DBG", "Request from trusted IP $rm $si\n");
        xlog("L_DBG", "$ci|log|request from trusted IP");
        return;
    }

    #  drop requests with no To domain or IP To domain (friendly-scanner)
    if (is_method("REGISTER|SUBSCRIBE|OPTIONS") && 
        ($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}")) {
        xlog("L_ERR", "Possible attack- wrong td: $rm to $ru from $fu, UA $ua, IP $si\n");
        xlog("L_WARN", "$ci|log|dropping request with IP domain in To header");
        exit;
    }

    # drop Invite with IP auth realm
    if (is_method("INVITE") && is_present_hf("Proxy-Authorization") && 
        $ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) {
        xlog("L_ERR", "Possible attack- Invite realm $ar: to $ru from $fu, UA $ua, IP $si\n");
        xlog("L_WARN", "$ci|log|dropping request with IP domain in Proxy-Authorization header");
        exit;
    }

    # use pike check for the others
    if (!pike_check_req()) {
        if( $rc == -2) {
            xlog("L_ERR", "DOS attack: $rm to $ru from $fu, UA $ua, IP $si\n");
        # If it is a new flood, emit a log
        if($rc == -2) {
            xlog("L_WARN", "$ci|log|dropping due to rate of requests from IP");
        }
        exit;
    }
--- a/kamailio/dispatcher-role.cfg
+++ b/kamailio/dispatcher-role.cfg
@ -19,10 +19,21 @@ modparam("dispatcher", "ds_probing_threshhold", 3)
 modparam("dispatcher", "ds_probing_mode", 1)
 modparam("dispatcher", "ds_ping_reply_codes", "501,403,404,400,200")

 ## Dispatcher Groups:
 ## 1 - Primary media servers
 ## 2 - Backup media servers
 ## 3 - Alternate media server IPs (used only for classification)
 ## 10 - Presence servers (if not locally handled)
 ## 20 - Registrar servers (if not locally handled)

 ####### Dispatcher Logic ########
 route[DISPATCHER_CLASSIFY_SOURCE]
 {
    if (ds_is_from_list("1", "1") || ds_is_from_list("3", "1")) {
    if (ds_is_from_list("1", "1") ||
 		ds_is_from_list("2", "1") ||
 		ds_is_from_list("3", "1") ||
 		ds_is_from_list("10", "1") ||
 		ds_is_from_list("20", "1")) {
        xlog("L_INFO", "$ci|log|originated from internal sources");

        setflag(FLAG_INTERNALLY_SOURCED);
@ -39,33 +50,33 @@ route[DISPATCHER_FIND_ROUTES]
        $du = $sht(failover=>$ci::current);
        return;
    }
        
    $var(ds_group) = 1;

    #!ifndef PRESENCE-ROLE
    if (is_method("SUBSCRIBE")) {
        $var(ds_group) = 20;
    } else
        $var(ds_group) = 10;
    }
    #!endif

    #!ifndef REGISTRAR-ROLE
    if (is_method("REGISTER")) {
        $var(ds_group) = 30;
    } else {
        $var(ds_group) = 1;
        $var(ds_group) = 20;
    }
    #!endif

    if (!ds_select_dst("$var(ds_group)", "0")) {
        xlog("L_ERR", "$ci|end|no servers avaliable in group $var(ds_group)");

        # if we selected from group 1, try again in group 2
        if ($var(ds_group) == 1 ) {

        if ($var(ds_group) == 1) {
                if (!ds_select_dst("2", "0")) {
                    xlog("L_ERR", "$ci|end|no servers avaliable in group 2");
                    xlog("L_WARN", "$ci|end|no servers avaliable in group 1 or 2");
                    sl_send_reply("480", "All servers busy");
                    exit;
                }

        } else {

            xlog("L_INFO", "$ci|end|no servers avaliable in group $var(ds_group)");
            sl_send_reply("480", "All servers busy");
            exit;

        }
    } else {

@ -177,4 +188,4 @@ route[DISPATCHER_NEXT_ROUTE]
    }
 }

 ## vim:set tabstop=4 softtabstop=4 shiftwidth=4 expandtab
 # vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab
--- a/kamailio/registrar-role.cfg
+++ b/kamailio/registrar-role.cfg
@ -94,7 +94,7 @@ route[PREVENT_BRUTEFORCE]
    if($sht(failed_auth_hash=>$Au::count) >= 2) {
        $var(exp) = $Ts - 120;
        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
            xlog("L_ERR", "Possible password brute force, from $ct on user $Au");
            xlog("L_WARN", "$ci|log|possible password brute force, from $ct on user $Au");
            return(-1);
        } else {
            $sht(failed_auth_hash=>$Au::count) = 0;
@ -103,7 +103,6 @@ route[PREVENT_BRUTEFORCE]
    return(1);
 }


 #AUTH: add to failed_auth_hash in case of authentication password error
 route[FAILED_AUTH_COUNT]
 {
@ -120,6 +119,7 @@ route[DOMAIN_FORMAT_CHECK]
 {
    if ($rd =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" ||
        $td =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3}" ) {
        xlog("L_WARN", "$ci|end|denying request with IP domain in From or To header");
        send_reply("403", "Forbidden");
        exit;
    }