Mooseable
9 months ago
4 changed files with 144 additions and 2 deletions
Split View
Diff Options
-
+11 -2kamailio/default.cfg
-
+84 -0kamailio/extra-traffic-filter-role.cfg
-
+25 -0kamailio/local.cfg
-
+24 -0kamailio/traffic-filter-role.cfg
+ 11
- 2
kamailio/default.cfg
View File
+ 84
- 0
kamailio/extra-traffic-filter-role.cfg
View File
| @ -0,0 +1,84 @@ | |||
| ####### Extra Traffic Filter Role Configuration ######## | |||
| # Define default values for configuration options if not set in local.cfg | |||
| #!ifndef ETFR_BAN_DURATION | |||
| #!define ETFR_BAN_DURATION 1800 | |||
| #!endif | |||
| # Define Bad User-Agent Patterns | |||
| #!ifndef ETFR_BAD_UA_PATTERNS | |||
| #!define ETFR_BAD_UA_PATTERNS "friendly-scanner|sipcli|sipsak|VaxSIPUserAgent|iWar|CSipSimple|sipvicious|sip-scan|svmap|VaxIPUserAgent|sundayddr|sipv|smap|PSYCHO|iPing|DiSipell|WebSipp|masscan|zmap|SIPBot|friendly-request|siparmyknife" | |||
| #!endif | |||
| #!substdef "!ETFR_SUBST_BAD_UA_PATTERNS!$def(ETFR_BAD_UA_PATTERNS)!g" | |||
| # Define SQL Injection Patterns | |||
| #!ifndef ETFR_SQL_INJECTION_PATTERNS | |||
| #!define ETFR_SQL_INJECTION_PATTERNS "([';]+|(--)+|(%27)+|(%23)+|(%24)+|[;]+|[']+)" | |||
| #!endif | |||
| # Initialize htable for banned IPs | |||
| #!substdef "!ETFR_SUBST_BAN_DURATION!$def(ETFR_BAN_DURATION)!g" | |||
| modparam("htable", "htable", "etfr_banned_ips=>size=8;autoexpire=ETFR_SUBST_BAN_DURATION") | |||
| # Main Request Route Enhancements | |||
| # Place this code at the appropriate place in your main request_route | |||
| route[EXTRA_FILTER_REQUEST] { | |||
| # Check if the source IP is banned | |||
| if ($sht(etfr_banned_ips=>$si)) { | |||
| xlog("L_WARN", "$ci|Fail2Ban| Dropping request from banned IP: $si\n"); | |||
| exit; | |||
| } | |||
| # Proceed with INVITE filtering | |||
| if (is_method("INVITE")) { | |||
| # Extract the domain from the Request URI | |||
| $var(domain) = $rd; | |||
| # Check if the domain is an IP address | |||
| if ($var(domain) =~ "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$") { | |||
| # Check if the source IP is in the carrier group | |||
| if (!(allow_source_address(1) || allow_source_address(10))) { | |||
| # Source IP is not a carrier, ban the IP | |||
| xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: INVITE with IP domain from untrusted source\n"); | |||
| route(ETFR_BAN_IP); | |||
| } else { | |||
| xlog("L_WARN", "$ci|ETFR| Allowing Carrier IP: $si\n"); | |||
| return; | |||
| } | |||
| } | |||
| # Check if the Request URI contains user '1000' | |||
| if ($rU == "1000") { | |||
| xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: Attempt to call user 1000\n"); | |||
| route(ETFR_BAN_IP); | |||
| } | |||
| } | |||
| # Check for known bad User-Agents | |||
| if ($ua =~ "(ETFR_SUBST_BAD_UA_PATTERNS)") { | |||
| xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: Known bad User-Agent: $ua\n"); | |||
| route(ETFR_BAN_IP); | |||
| } | |||
| # Check for SQL injection patterns in SIP message | |||
| if ($rb =~ "(ETFR_SQL_INJECTION_PATTERNS)" || $ru =~ "(ETFR_SQL_INJECTION_PATTERNS)") { | |||
| xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: SQL injection attempt\n"); | |||
| route(ETFR_BAN_IP); | |||
| } | |||
| return; | |||
| } | |||
| # Ban IP Route | |||
| route[ETFR_BAN_IP] { | |||
| # Add source IP to banned IPs table with auto-expire | |||
| $sht(etfr_banned_ips=>$si) = $Ts; | |||
| # Log the event for Fail2Ban | |||
| xlog("L_ALERT", "$ci|end| Added IP $si to etfr_banned_ips htable\n"); | |||
| # Drop the request | |||
| exit; | |||
| } | |||