ruhnet
/
kazoo-configs-kamailio
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 183 Wiki Activity
Browse Source

make the auth limit more generic and fix the missing routing key

3.19
karl anderson 11 years ago
parent
1c82438f1b
commit
79bb046bbe
4 changed files with 39 additions and 23 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +25
    -6
      kamailio/antiflood-role.cfg
  2. +1
    -0
      kamailio/default.cfg
  3. +12
    -16
      kamailio/registrar-role.cfg
  4. +1
    -1
      kamailio/traffic-filter-role.cfg

+ 25
- 6
kamailio/antiflood-role.cfg View File

@ -22,7 +22,7 @@ route[ANTIFLOOD_RATE_LIMIT]
# use pike to control the rates # use pike to control the rates
if (!pike_check_req()) { if (!pike_check_req()) {
xlog("L_WARN", "$ci|log|pike dropping $rm from $fu due to rate of requests with source $si:$sp");
xlog("L_WARN", "$ci|end|dropping request from $fu due to rate of requests with source $si:$sp");
drop(); drop();
exit; exit;
} }
@ -34,17 +34,25 @@ route[ANITFLOOD_AUTH_LIMIT]
return(1); return(1);
} }
if($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) {
if ($Au != $null &&
$sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
) {
$var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW; $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
if($sht(failed_auth_hash=>$Au::last) > $var(exp)){ if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
$sht(failed_auth_hash=>$Au::last) = $Ts;
xlog("L_WARN", "$ci|log|ignoring erroneous endpoint registrations from $ct for $Au");
return(-1);
xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
drop();
exit;
} else { } else {
$sht(failed_auth_hash=>$Au::count) = 0; $sht(failed_auth_hash=>$Au::count) = 0;
} }
} }
return(1);
}
route[ANTIFLOOD_SUCCESSFUL_AUTH]
{
if ($Au != $null && $sht(failed_auth_hash=>$Au::count) != $null) {
$sht(failed_auth_hash=>$Au::count) = 0;
}
} }
route[ANITFLOOD_FAILED_AUTH] route[ANITFLOOD_FAILED_AUTH]
@ -59,4 +67,15 @@ route[ANITFLOOD_FAILED_AUTH]
$sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1; $sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1;
$sht(failed_auth_hash=>$Au::last) = $Ts; $sht(failed_auth_hash=>$Au::last) = $Ts;
xlog("L_INFO", "$ci|log|$sht(failed_auth_hash=>$Au::count) errounous authorization response for $Au $si:$sp");
if ($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) {
$var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
xlog("L_INFO", "$ci|end|registration forbidden $Au $si:$sp");
send_reply("403", "Forbidden");
exit;
}
}
} }

+ 1
- 0
kamailio/default.cfg View File

@ -210,6 +210,7 @@ route
#!ifdef ANTIFLOOD-ROLE #!ifdef ANTIFLOOD-ROLE
route(ANTIFLOOD_RATE_LIMIT); route(ANTIFLOOD_RATE_LIMIT);
route(ANITFLOOD_AUTH_LIMIT);
#!endif #!endif
#!ifdef TRAFFIC-FILTER-ROLE #!ifdef TRAFFIC-FILTER-ROLE


+ 12
- 16
kamailio/registrar-role.cfg View File

@ -56,7 +56,7 @@ route[HANDLE_REGISTER]
route(ATTEMPT_AUTHORIZATION); route(ATTEMPT_AUTHORIZATION);
} else { } else {
auth_challenge("$fd", "0"); auth_challenge("$fd", "0");
xlog("L_INFO", "$ci|end|issued auth challenge to new registration for $Au $si:$sp");
xlog("L_INFO", "$ci|end|issued auth challenge to new registration for $fu $si:$sp");
exit; exit;
} }
} }
@ -64,16 +64,8 @@ route[HANDLE_REGISTER]
route[ATTEMPT_AUTHORIZATION] route[ATTEMPT_AUTHORIZATION]
{ {
#!ifdef ANTIFLOOD-ROLE
if (!route(ANITFLOOD_AUTH_LIMIT)) {
xlog("L_WARN", "$ci|log|dropping erroneous endpoint registration for $Au $si:$sp");
drop();
exit;
}
#!endif
if ($sht(auth_cache=>$Au) != $null) { if ($sht(auth_cache=>$Au) != $null) {
xlog("L_INFO", "$ci|log|authenticating $Au via cached SIP creds");
xlog("L_INFO", "$ci|log|authenticating $fu via cached SIP creds");
$var(password) = $sht(auth_cache=>$Au); $var(password) = $sht(auth_cache=>$Au);
} else { } else {
$var(amqp_payload_request) = "{'Event-Category' : 'directory' , 'Event-Name' : 'authn_req', 'Method' : 'REGISTER', 'Auth-Realm' : '" + $fd + "', 'Auth-User' : '" + $fU + "', 'From' : '" + $fu + "', 'To' : '" + $tu +"' }"; $var(amqp_payload_request) = "{'Event-Category' : 'directory' , 'Event-Name' : 'authn_req', 'Method' : 'REGISTER', 'Auth-Realm' : '" + $fd + "', 'Auth-User' : '" + $fU + "', 'From' : '" + $fu + "', 'To' : '" + $tu +"' }";
@ -102,6 +94,10 @@ route[ATTEMPT_AUTHORIZATION]
exit; exit;
} }
#!ifdef ANTIFLOOD-ROLE
route(ANTIFLOOD_SUCCESSFUL_AUTH);
#!endif
if ($sht(auth_cache=>$Au) == $null) { if ($sht(auth_cache=>$Au) == $null) {
xlog("L_INFO", "$ci|log|caching SIP credentials for $Au"); xlog("L_INFO", "$ci|log|caching SIP credentials for $Au");
$sht(auth_cache=>$Au) = $var(password); $sht(auth_cache=>$Au) = $var(password);
@ -120,6 +116,11 @@ route[ATTEMPT_AUTHORIZATION]
$var(expires) = REGISTRAR_MIN_EXPIRES; $var(expires) = REGISTRAR_MIN_EXPIRES;
} }
if($var(expires) == 0) {
xlog("L_INFO", "$ci|end|unregister request from $Au $si:$sp");
exit;
}
if($(proto{s.tolower}) == "udp" || $(proto{s.tolower}) == "tcp" || $(proto{s.tolower}) == "tls") { if($(proto{s.tolower}) == "udp" || $(proto{s.tolower}) == "tcp" || $(proto{s.tolower}) == "tls") {
$var(return_port) = $Rp; $var(return_port) = $Rp;
} else { } else {
@ -140,16 +141,11 @@ route[ATTEMPT_AUTHORIZATION]
$var(fs_contact) = "<sip:" + $(ct{tobody.user}) + "@" + $si + ":" + $sp + ";transport=" + $proto + ";" + $var(params) + ">"; $var(fs_contact) = "<sip:" + $(ct{tobody.user}) + "@" + $si + ":" + $sp + ";transport=" + $proto + ";" + $var(params) + ">";
} }
if ($avp(AVP_RECV_PARAM) == $null) {
$var(fs_contact) = "<" + $(ct{tobody.uri}) + ";" + $var(params) + ">";
} else {
$var(fs_contact) = "<sip:" + $(ct{tobody.user}) + "@" + $si + ":" + $sp + ";transport=" + $proto + ";" + $var(params) + ">";
}
$var(register_contants) = ' "Presence-Hosts" : "n/a", "Profile-Name" : "sipinterface_1", "Status" : "Registered", "Event-Timestamp" : "' + $TS + '", "Expires" : ' + $var(expires); $var(register_contants) = ' "Presence-Hosts" : "n/a", "Profile-Name" : "sipinterface_1", "Status" : "Registered", "Event-Timestamp" : "' + $TS + '", "Expires" : ' + $var(expires);
$var(amqp_payload_request) = '{"Event-Category" : "directory", "Event-Name" : "reg_success", "Contact" : "' + $var(fs_contact) + '", "Call-ID" : "' + $ci + '", "Realm" : "' + $fd + '", "Username" : "' + $fU + '", "From-User" : "' + $fU + '", "From-Host" : "' + $fd + '", "To-User" : "' + $tU + '", "To-Host" : "' + $td + '", "User-Agent" : "' + $ua + '" ,' + $var(register_contants) + ' }'; $var(amqp_payload_request) = '{"Event-Category" : "directory", "Event-Name" : "reg_success", "Contact" : "' + $var(fs_contact) + '", "Call-ID" : "' + $ci + '", "Realm" : "' + $fd + '", "Username" : "' + $fU + '", "From-User" : "' + $fU + '", "From-Host" : "' + $fd + '", "To-User" : "' + $tU + '", "To-Host" : "' + $td + '", "User-Agent" : "' + $ua + '" ,' + $var(register_contants) + ' }';
$var(amqp_routing_key) = "registration.success." + $(fd{kz.encode}) + "." + $fU;
kazoo_publish("callmgr", $var(amqp_routing_key), $var(amqp_payload_request)); kazoo_publish("callmgr", $var(amqp_routing_key), $var(amqp_payload_request));


+ 1
- 1
kamailio/traffic-filter-role.cfg View File

@ -31,7 +31,7 @@ route[FILTER_AUTHORIZATION_DOMAIN]
{ {
if (is_present_hf("Proxy-Authorization") && if (is_present_hf("Proxy-Authorization") &&
$ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) { $ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) {
xlog("L_WARN", "$ci|log|dropping request with IP domain in Proxy-Authorization header");
xlog("L_WARN", "$ci|end|dropping request with IP domain in Proxy-Authorization header");
drop(); drop();
exit; exit;
} }


Write Preview
Loading…
Cancel
Save