ruhnet
/
kazoo-configs-kamailio
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 183 Wiki Activity
Browse Source

default.cfg Improved DOS protection 

- use permissions module to have the equivalent of a white list, a list
  of IPs that are trusted. This module is used together with db_text and
  the list of IPs and IP ranges will be specified in the address dbtext
  file.
- drop requests that have no To domain or a To domain consisting of an
  IP.
- reply to Options from outside only if the RURI domain is not IP.
3.17
Anca Vamanu 12 years ago
parent
f48ad99a3f
commit
410b972bc7
1 changed files with 33 additions and 5 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +33
    -5
      kamailio/default.cfg

+ 33
- 5
kamailio/default.cfg View File

@ -28,6 +28,8 @@ flags
#!define FLB_NATSIPPING 2 #!define FLB_NATSIPPING 2
#!define FLB_UAC_REDIRECT 3 #!define FLB_UAC_REDIRECT 3
#!define TRUSTED_ADR_GROUP 1
####### Global Parameters ######### ####### Global Parameters #########
fork = yes fork = yes
children = 25 children = 25
@ -186,6 +188,13 @@ include_file "nat-traversal-role.cfg"
loadmodule "db_kazoo.so" loadmodule "db_kazoo.so"
#!endif #!endif
loadmodule "db_text.so"
loadmodule "permissions.so"
modparam("db_text", "db_mode", 1)
modparam("permissions", "db_url", "text:///etc/kamailio/dbtext")
modparam("permissions", "db_mode", 1)
####### Routing Logic ######## ####### Routing Logic ########
route route
{ {
@ -236,7 +245,12 @@ route[SANITY_CHECK]
{ {
if (!mf_process_maxfwd_header("10")) { if (!mf_process_maxfwd_header("10")) {
xlog("L_WARN", "$ci|end|Too much hops, not enough barley"); xlog("L_WARN", "$ci|end|Too much hops, not enough barley");
sl_send_reply("483", "Too Many Hops");
send_reply("483", "Too Many Hops");
exit;
}
if ( msg:len > 6144 ) {
send_reply("513", "Message too large");
exit; exit;
} }
@ -252,9 +266,12 @@ route[HANDLE_OPTIONS]
if (isflagset(FLAG_INTERNALLY_SOURCED)) { if (isflagset(FLAG_INTERNALLY_SOURCED)) {
route(INTERNAL_TO_EXTERNAL_RELAY); route(INTERNAL_TO_EXTERNAL_RELAY);
} }
# else {
# sl_send_reply("200", "Rawr!!");
# }
else
if ($rd=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
xlog("L_ERR", "Possible attack- Options: to $ru from $fu, UA $ua, IP $si\n");
} else {
sl_send_reply("200", "Rawr!!");
}
exit; exit;
} }
} }
@ -381,10 +398,21 @@ route[EXTERNAL_TO_INTERNAL_RELAY]
route[DOS_PREVENTION] route[DOS_PREVENTION]
{ {
if (allow_source_address(TRUSTED_ADR_GROUP)) {
xlog("L_DBG", "Request from trusted IP $rm $si\n");
return;
}
# drop requests with no To domain or IP To domain (friendly-scanner)
if ($td == $null || $td=~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") {
xlog("L_ERR", "Possible attack- wrong td: $rm to $ru from $fu, UA $ua, IP $si\n");
exit;
}
if (!isflagset(FLAG_INTERNALLY_SOURCED)) { if (!isflagset(FLAG_INTERNALLY_SOURCED)) {
if (!pike_check_req()) { if (!pike_check_req()) {
if( $rc == -2) { if( $rc == -2) {
xlog("L_ERR", "DOS detected: $rm to $ru from $fu, UA $ua, IP $si\n");
xlog("L_ERR", "DOS attack: $rm to $ru from $fu, UA $ua, IP $si\n");
} }
exit; exit;
} }


Write Preview
Loading…
Cancel
Save