diff --git a/kamailio/default.cfg b/kamailio/default.cfg index 2de85c3..844e41a 100644 --- a/kamailio/default.cfg +++ b/kamailio/default.cfg @@ -28,6 +28,8 @@ flags #!define FLB_NATSIPPING 2 #!define FLB_UAC_REDIRECT 3 +#!define TRUSTED_ADR_GROUP 1 + ####### Global Parameters ######### fork = yes children = 25 @@ -186,6 +188,13 @@ include_file "nat-traversal-role.cfg" loadmodule "db_kazoo.so" #!endif +loadmodule "db_text.so" +loadmodule "permissions.so" +modparam("db_text", "db_mode", 1) +modparam("permissions", "db_url", "text:///etc/kamailio/dbtext") +modparam("permissions", "db_mode", 1) + + ####### Routing Logic ######## route { @@ -236,7 +245,12 @@ route[SANITY_CHECK] { if (!mf_process_maxfwd_header("10")) { xlog("L_WARN", "$ci|end|Too much hops, not enough barley"); - sl_send_reply("483", "Too Many Hops"); + send_reply("483", "Too Many Hops"); + exit; + } + + if ( msg:len > 6144 ) { + send_reply("513", "Message too large"); exit; } @@ -252,9 +266,12 @@ route[HANDLE_OPTIONS] if (isflagset(FLAG_INTERNALLY_SOURCED)) { route(INTERNAL_TO_EXTERNAL_RELAY); } -# else { -# sl_send_reply("200", "Rawr!!"); -# } + else + if ($rd=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") { + xlog("L_ERR", "Possible attack- Options: to $ru from $fu, UA $ua, IP $si\n"); + } else { + sl_send_reply("200", "Rawr!!"); + } exit; } } @@ -381,10 +398,21 @@ route[EXTERNAL_TO_INTERNAL_RELAY] route[DOS_PREVENTION] { + if (allow_source_address(TRUSTED_ADR_GROUP)) { + xlog("L_DBG", "Request from trusted IP $rm $si\n"); + return; + } + + # drop requests with no To domain or IP To domain (friendly-scanner) + if ($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") { + xlog("L_ERR", "Possible attack- wrong td: $rm to $ru from $fu, UA $ua, IP $si\n"); + exit; + } + if (!isflagset(FLAG_INTERNALLY_SOURCED)) { if (!pike_check_req()) { if( $rc == -2) { - xlog("L_ERR", "DOS detected: $rm to $ru from $fu, UA $ua, IP $si\n"); + xlog("L_ERR", "DOS attack: $rm to $ru from $fu, UA $ua, IP $si\n"); } exit; }