ruhnet
/
kazoo-configs-kamailio
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 183 Wiki Activity
Browse Source

move sanity to own cfg file

4.3
lazedo 7 years ago
committed by Luis Azedo
parent
15a68cbbe2
commit
4fa36f07fb
2 changed files with 65 additions and 36 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +3
    -36
      kamailio/default.cfg
  2. +62
    -0
      kamailio/sanity.cfg

+ 3
- 36
kamailio/default.cfg View File

@ -148,12 +148,6 @@ modparam("maxfwd", "max_limit", 50)
######## SIP utilities [requires sl] ######## ######## SIP utilities [requires sl] ########
loadmodule "siputils.so" loadmodule "siputils.so"
######## SIP message formatting sanity checks [requires sl] ########
loadmodule "sanity.so"
modparam("sanity", "default_checks", 1511)
modparam("sanity", "uri_checks", 7)
modparam("sanity", "autodrop", 0)
######## Text operations module ######## ######## Text operations module ########
loadmodule "textops.so" loadmodule "textops.so"
loadmodule "textopsx.so" loadmodule "textopsx.so"
@ -243,6 +237,9 @@ modparam("kazoo", "amqp_connection", "MY_AMQP_DENARY_URL")
###### kazoo bindings ###### ###### kazoo bindings ######
include_file "kazoo-bindings.cfg" include_file "kazoo-bindings.cfg"
## sanity ##
include_file "sanity.cfg"
####### Role Configurations ########## ####### Role Configurations ##########
#!ifdef AUTHORIZATION_ROLE #!ifdef AUTHORIZATION_ROLE
include_file "authorization-role.cfg" include_file "authorization-role.cfg"
@ -403,36 +400,6 @@ route[CHECK_RETRANS]
} }
} }
route[SANITY_CHECK]
{
## CVE-2018-14767
if($(hdr(To)[1]) != $null) {
xlog("second To header not null - dropping message");
drop;
}
if (!sanity_check()) {
xlog("L_WARN", "$ci|end|message from $si:$sp is insane ($var(insane))\n");
drop;
}
if (!mf_process_maxfwd_header("10")) {
xlog("L_WARN", "$ci|end|too much hops, not enough barley from $si:$sp\n");
send_reply("483", "Too Many Hops");
exit;
}
if ($ua == "friendly-scanner" ||
$ua == "sundayddr" ||
$ua == "pplsip" ||
$ua =~ "NiceGuy" ||
$ua =~ "PortSIP" ||
$ua =~ "sipcli" ) {
xlog("L_WARN", "$ci|end|dropping message with user-agent $ua from $si:$sp\n");
drop;
}
}
route[CLASSIFY_SOURCE] route[CLASSIFY_SOURCE]
{ {
#!ifdef DISPATCHER_ROLE #!ifdef DISPATCHER_ROLE


+ 62
- 0
kamailio/sanity.cfg View File

@ -0,0 +1,62 @@
#!trydef SANITY_CHECK_USE_PORT 1
#!trydef SANITY_DROPS_REQUEST 1
#!trydef SANITY_DEFAULT_CHECK 17895
#!trydef SANITY_URI_CHECKS 7
#!substdef "!SANITY_SUBST_CACHE_PERIOD!$def(SANITY_CACHE_PERIOD)!g"
######## SIP message formatting sanity checks [requires sl] ########
loadmodule "sanity.so"
modparam("sanity", "default_checks", SANITY_DEFAULT_CHECK)
modparam("sanity", "uri_checks", SANITY_URI_CHECKS)
modparam("sanity", "autodrop", 0)
modparam("sanity", "noreply", 1)
modparam("debugger", "mod_level", "sanity=-3")
kazoo.sanity_check_use_port = SANITY_CHECK_USE_PORT descr "should we keep track of ip and port for sanity failures"
kazoo.sanity_drops_request = SANITY_DROPS_REQUEST descr "should we drop the request or send error on sanity failure"
route[SANITY_CHECK]
{
## CVE-2018-14767
if($(hdr(To)[1]) != $null) {
xlog("second To header not null - dropping message");
drop;
}
$var(sanity_key) = "";
if($sel(cfg_get.kazoo.sanity_check_use_port) == 1) {
$var(sanity_key) = $_s("$si::$sp");
} else {
$var(sanity_key) = $_s("$si");
}
if (!sanity_check()) {
if($sel(cfg_get.kazoo.sanity_drops_request) == 1) {
xlog("L_WARN", "$ci|end|dropping insane message from $si:$sp\n");
drop;
} else {
xlog("L_WARN", "$ci|end|insane message from $si:$sp\n");
send_reply("400", "Bad Request");
exit;
}
}
if (!mf_process_maxfwd_header("10")) {
xlog("L_WARN", "$ci|end|too much hops, not enough barley from $si:$sp\n");
send_reply("483", "Too Many Hops");
exit;
}
if ($ua == "friendly-scanner" ||
$ua == "sundayddr" ||
$ua == "pplsip" ||
$ua =~ "NiceGuy" ||
$ua =~ "PortSIP" ||
$ua =~ "sipcli" ) {
xlog("L_WARN", "$ci|end|dropping message with user-agent $ua from $si:$sp\n");
drop;
}
}

Write Preview
Loading…
Cancel
Save