From 79bb046bbe0f1f66fce24ff7050de34e594705d8 Mon Sep 17 00:00:00 2001 From: karl anderson Date: Mon, 13 Oct 2014 20:37:50 -0400 Subject: [PATCH] make the auth limit more generic and fix the missing routing key --- kamailio/antiflood-role.cfg | 31 +++++++++++++++++++++++++------ kamailio/default.cfg | 1 + kamailio/registrar-role.cfg | 28 ++++++++++++---------------- kamailio/traffic-filter-role.cfg | 2 +- 4 files changed, 39 insertions(+), 23 deletions(-) diff --git a/kamailio/antiflood-role.cfg b/kamailio/antiflood-role.cfg index 63ac37e..d6e8a11 100644 --- a/kamailio/antiflood-role.cfg +++ b/kamailio/antiflood-role.cfg @@ -22,7 +22,7 @@ route[ANTIFLOOD_RATE_LIMIT] # use pike to control the rates if (!pike_check_req()) { - xlog("L_WARN", "$ci|log|pike dropping $rm from $fu due to rate of requests with source $si:$sp"); + xlog("L_WARN", "$ci|end|dropping request from $fu due to rate of requests with source $si:$sp"); drop(); exit; } @@ -34,17 +34,25 @@ route[ANITFLOOD_AUTH_LIMIT] return(1); } - if($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { + if ($Au != $null && + $sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY + ) { $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW; if($sht(failed_auth_hash=>$Au::last) > $var(exp)){ - $sht(failed_auth_hash=>$Au::last) = $Ts; - xlog("L_WARN", "$ci|log|ignoring erroneous endpoint registrations from $ct for $Au"); - return(-1); + xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp"); + drop(); + exit; } else { $sht(failed_auth_hash=>$Au::count) = 0; } } - return(1); +} + +route[ANTIFLOOD_SUCCESSFUL_AUTH] +{ + if ($Au != $null && $sht(failed_auth_hash=>$Au::count) != $null) { + $sht(failed_auth_hash=>$Au::count) = 0; + } } route[ANITFLOOD_FAILED_AUTH] @@ -59,4 +67,15 @@ route[ANITFLOOD_FAILED_AUTH] $sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1; $sht(failed_auth_hash=>$Au::last) = $Ts; + + xlog("L_INFO", "$ci|log|$sht(failed_auth_hash=>$Au::count) errounous authorization response for $Au $si:$sp"); + + if ($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { + $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW; + if($sht(failed_auth_hash=>$Au::last) > $var(exp)){ + xlog("L_INFO", "$ci|end|registration forbidden $Au $si:$sp"); + send_reply("403", "Forbidden"); + exit; + } + } } diff --git a/kamailio/default.cfg b/kamailio/default.cfg index b66348b..49573b6 100644 --- a/kamailio/default.cfg +++ b/kamailio/default.cfg @@ -210,6 +210,7 @@ route #!ifdef ANTIFLOOD-ROLE route(ANTIFLOOD_RATE_LIMIT); + route(ANITFLOOD_AUTH_LIMIT); #!endif #!ifdef TRAFFIC-FILTER-ROLE diff --git a/kamailio/registrar-role.cfg b/kamailio/registrar-role.cfg index 9430400..4cb2c41 100644 --- a/kamailio/registrar-role.cfg +++ b/kamailio/registrar-role.cfg @@ -56,7 +56,7 @@ route[HANDLE_REGISTER] route(ATTEMPT_AUTHORIZATION); } else { auth_challenge("$fd", "0"); - xlog("L_INFO", "$ci|end|issued auth challenge to new registration for $Au $si:$sp"); + xlog("L_INFO", "$ci|end|issued auth challenge to new registration for $fu $si:$sp"); exit; } } @@ -64,16 +64,8 @@ route[HANDLE_REGISTER] route[ATTEMPT_AUTHORIZATION] { - #!ifdef ANTIFLOOD-ROLE - if (!route(ANITFLOOD_AUTH_LIMIT)) { - xlog("L_WARN", "$ci|log|dropping erroneous endpoint registration for $Au $si:$sp"); - drop(); - exit; - } - #!endif - if ($sht(auth_cache=>$Au) != $null) { - xlog("L_INFO", "$ci|log|authenticating $Au via cached SIP creds"); + xlog("L_INFO", "$ci|log|authenticating $fu via cached SIP creds"); $var(password) = $sht(auth_cache=>$Au); } else { $var(amqp_payload_request) = "{'Event-Category' : 'directory' , 'Event-Name' : 'authn_req', 'Method' : 'REGISTER', 'Auth-Realm' : '" + $fd + "', 'Auth-User' : '" + $fU + "', 'From' : '" + $fu + "', 'To' : '" + $tu +"' }"; @@ -102,6 +94,10 @@ route[ATTEMPT_AUTHORIZATION] exit; } + #!ifdef ANTIFLOOD-ROLE + route(ANTIFLOOD_SUCCESSFUL_AUTH); + #!endif + if ($sht(auth_cache=>$Au) == $null) { xlog("L_INFO", "$ci|log|caching SIP credentials for $Au"); $sht(auth_cache=>$Au) = $var(password); @@ -120,6 +116,11 @@ route[ATTEMPT_AUTHORIZATION] $var(expires) = REGISTRAR_MIN_EXPIRES; } + if($var(expires) == 0) { + xlog("L_INFO", "$ci|end|unregister request from $Au $si:$sp"); + exit; + } + if($(proto{s.tolower}) == "udp" || $(proto{s.tolower}) == "tcp" || $(proto{s.tolower}) == "tls") { $var(return_port) = $Rp; } else { @@ -140,16 +141,11 @@ route[ATTEMPT_AUTHORIZATION] $var(fs_contact) = ""; } - if ($avp(AVP_RECV_PARAM) == $null) { - $var(fs_contact) = "<" + $(ct{tobody.uri}) + ";" + $var(params) + ">"; - } else { - $var(fs_contact) = ""; - } - $var(register_contants) = ' "Presence-Hosts" : "n/a", "Profile-Name" : "sipinterface_1", "Status" : "Registered", "Event-Timestamp" : "' + $TS + '", "Expires" : ' + $var(expires); $var(amqp_payload_request) = '{"Event-Category" : "directory", "Event-Name" : "reg_success", "Contact" : "' + $var(fs_contact) + '", "Call-ID" : "' + $ci + '", "Realm" : "' + $fd + '", "Username" : "' + $fU + '", "From-User" : "' + $fU + '", "From-Host" : "' + $fd + '", "To-User" : "' + $tU + '", "To-Host" : "' + $td + '", "User-Agent" : "' + $ua + '" ,' + $var(register_contants) + ' }'; + $var(amqp_routing_key) = "registration.success." + $(fd{kz.encode}) + "." + $fU; kazoo_publish("callmgr", $var(amqp_routing_key), $var(amqp_payload_request)); diff --git a/kamailio/traffic-filter-role.cfg b/kamailio/traffic-filter-role.cfg index e6a22a6..2695286 100644 --- a/kamailio/traffic-filter-role.cfg +++ b/kamailio/traffic-filter-role.cfg @@ -31,7 +31,7 @@ route[FILTER_AUTHORIZATION_DOMAIN] { if (is_present_hf("Proxy-Authorization") && $ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) { - xlog("L_WARN", "$ci|log|dropping request with IP domain in Proxy-Authorization header"); + xlog("L_WARN", "$ci|end|dropping request with IP domain in Proxy-Authorization header"); drop(); exit; }