ruhnet
/
kazoo-configs-kamailio
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 183 Wiki Activity
Browse Source

Reorder classify route, add alternate traffic filter role.

ruhnet
Mooseable 9 months ago
parent
7599b72720
commit
c2a0a5bff3
4 changed files with 144 additions and 2 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +11
    -2
      kamailio/default.cfg
  2. +84
    -0
      kamailio/extra-traffic-filter-role.cfg
  3. +25
    -0
      kamailio/local.cfg
  4. +24
    -0
      kamailio/traffic-filter-role.cfg

+ 11
- 2
kamailio/default.cfg View File

@ -284,6 +284,11 @@ loadmodule "permissions.so"
modparam("permissions", "db_url", "KAZOO_DB_URL") modparam("permissions", "db_url", "KAZOO_DB_URL")
modparam("permissions", "db_mode", 1) modparam("permissions", "db_mode", 1)
######## requires permissions module ########
#!ifdef EXTRA_TRAFFIC_FILTER_ROLE
include_file "extra-traffic-filter-role.cfg"
#!endif
###### local route ###### ###### local route ######
socket_workers=5 socket_workers=5
listen=tcp:127.0.0.1:5090 listen=tcp:127.0.0.1:5090
@ -301,10 +306,16 @@ route
route(ANTIFLOOD_LIMIT); route(ANTIFLOOD_LIMIT);
#!endif #!endif
route(CLASSIFY_SOURCE);
#!ifdef TRAFFIC_FILTER_ROLE #!ifdef TRAFFIC_FILTER_ROLE
route(FILTER_REQUEST); route(FILTER_REQUEST);
#!endif #!endif
#!ifdef EXTRA_TRAFFIC_FILTER_ROLE
route(EXTRA_FILTER_REQUEST);
#!endif
#!ifdef ACL_ROLE #!ifdef ACL_ROLE
route(ACL_CHECK); route(ACL_CHECK);
#!endif #!endif
@ -315,8 +326,6 @@ route
route(LOG_REQUEST); route(LOG_REQUEST);
route(CLASSIFY_SOURCE);
#!ifdef NAT_TRAVERSAL_ROLE #!ifdef NAT_TRAVERSAL_ROLE
route(NAT_DETECT); route(NAT_DETECT);
#!endif #!endif


+ 84
- 0
kamailio/extra-traffic-filter-role.cfg View File

@ -0,0 +1,84 @@
####### Extra Traffic Filter Role Configuration ########
# Define default values for configuration options if not set in local.cfg
#!ifndef ETFR_BAN_DURATION
#!define ETFR_BAN_DURATION 1800
#!endif
# Define Bad User-Agent Patterns
#!ifndef ETFR_BAD_UA_PATTERNS
#!define ETFR_BAD_UA_PATTERNS "friendly-scanner|sipcli|sipsak|VaxSIPUserAgent|iWar|CSipSimple|sipvicious|sip-scan|svmap|VaxIPUserAgent|sundayddr|sipv|smap|PSYCHO|iPing|DiSipell|WebSipp|masscan|zmap|SIPBot|friendly-request|siparmyknife"
#!endif
#!substdef "!ETFR_SUBST_BAD_UA_PATTERNS!$def(ETFR_BAD_UA_PATTERNS)!g"
# Define SQL Injection Patterns
#!ifndef ETFR_SQL_INJECTION_PATTERNS
#!define ETFR_SQL_INJECTION_PATTERNS "([';]+|(--)+|(%27)+|(%23)+|(%24)+|[;]+|[']+)"
#!endif
# Initialize htable for banned IPs
#!substdef "!ETFR_SUBST_BAN_DURATION!$def(ETFR_BAN_DURATION)!g"
modparam("htable", "htable", "etfr_banned_ips=>size=8;autoexpire=ETFR_SUBST_BAN_DURATION")
# Main Request Route Enhancements
# Place this code at the appropriate place in your main request_route
route[EXTRA_FILTER_REQUEST] {
# Check if the source IP is banned
if ($sht(etfr_banned_ips=>$si)) {
xlog("L_WARN", "$ci|Fail2Ban| Dropping request from banned IP: $si\n");
exit;
}
# Proceed with INVITE filtering
if (is_method("INVITE")) {
# Extract the domain from the Request URI
$var(domain) = $rd;
# Check if the domain is an IP address
if ($var(domain) =~ "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$") {
# Check if the source IP is in the carrier group
if (!(allow_source_address(1) || allow_source_address(10))) {
# Source IP is not a carrier, ban the IP
xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: INVITE with IP domain from untrusted source\n");
route(ETFR_BAN_IP);
} else {
xlog("L_WARN", "$ci|ETFR| Allowing Carrier IP: $si\n");
return;
}
}
# Check if the Request URI contains user '1000'
if ($rU == "1000") {
xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: Attempt to call user 1000\n");
route(ETFR_BAN_IP);
}
}
# Check for known bad User-Agents
if ($ua =~ "(ETFR_SUBST_BAD_UA_PATTERNS)") {
xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: Known bad User-Agent: $ua\n");
route(ETFR_BAN_IP);
}
# Check for SQL injection patterns in SIP message
if ($rb =~ "(ETFR_SQL_INJECTION_PATTERNS)" || $ru =~ "(ETFR_SQL_INJECTION_PATTERNS)") {
xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: SQL injection attempt\n");
route(ETFR_BAN_IP);
}
return;
}
# Ban IP Route
route[ETFR_BAN_IP] {
# Add source IP to banned IPs table with auto-expire
$sht(etfr_banned_ips=>$si) = $Ts;
# Log the event for Fail2Ban
xlog("L_ALERT", "$ci|end| Added IP $si to etfr_banned_ips htable\n");
# Drop the request
exit;
}

+ 25
- 0
kamailio/local.cfg View File

@ -21,6 +21,7 @@
# # #!trydef REGISTRAR_SYNC_ROLE # # #!trydef REGISTRAR_SYNC_ROLE
# # #!trydef PRESENCE_NOTIFY_SYNC_ROLE # # #!trydef PRESENCE_NOTIFY_SYNC_ROLE
# # #!trydef SIP_TRACE_ROLE # # #!trydef SIP_TRACE_ROLE
# # #!trydef EXTRA_TRAFFIC_FILTER_ROLE
################################################################################ ################################################################################
## SERVER INFORMATION ## SERVER INFORMATION
@ -155,3 +156,27 @@ listen=UDP_SIP
listen=TCP_SIP listen=TCP_SIP
listen=UDP_ALG_SIP listen=UDP_ALG_SIP
listen=TCP_ALG_SIP listen=TCP_ALG_SIP
################################################################################
## Extra Traffic Filter Role Settings
################################################################################
## These settings apply if you enable the EXTRA_TRAFFIC_FILTER_ROLE
## It will ban IPs where an IP is found in the request uri, unless it is from
## a carrier. It will also ban from usernames of 1000@ unless you allow it.
## It will also ban SQL injection attacks and bad sip clients (or older
## depreciated ones.
# You can either define carriers here, in a file, or run a script to populate
# the address table in the database
## modparam("permissions", "address", "group=10, ip=192.168.1.100")
## modparam("permissions", "address", "group=10, ip=192.168.1.101")
## modparam("permissions", "address", "group=10, ip=192.168.1.102")
# Define ban duration in seconds (Optional, default is 1800 seconds)
# # #!define ETFR_BAN_DURATION 1800
# Define Bad User-Agent Patterns (Optional, default includes a comprehensive list)
# # #!define ETFR_BAD_UA_PATTERNS "friendly-scanner|sipcli|sipsak|VaxSIPUserAgent|iWar|CSipSimple|sipvicious|sip-scan|svmap|VaxIPUserAgent|sundayddr|sipv|smap|PSYCHO|iPing|DiSipell|WebSipp|masscan|zmap|SIPBot|friendly-request|siparmyknife"
# Define SQL Injection Patterns (Optional, default includes common patterns)
# # #!define ETFR_SQL_INJECTION_PATTERNS "([';]+|(--)+|(%27)+|(%24)+|(%23)+|[;]+|[']+|[\"+]+)"

+ 24
- 0
kamailio/traffic-filter-role.cfg View File

@ -55,3 +55,27 @@ route[FILTER_TO_DOMAIN]
} }
} }
route[CCP_SECURITY_CHECKS] {
#!ifdef WITH_CCP_SECURITY_CHECKS
if (is_method("INVITE|REGISTER")) {
if($ua =~ "(friendly-scanner|sipvicious|pplsip)") {
xlog("$ci|block|Fail2Ban blocking traffic from $si Script Kiddie trying to exploit\n");
drop();
exit;
}
if($au =~ "(\=)|(\-\-)|(')|(\#)|(\%27)|(\%24)" and $au != $null) {
xlog("$ci|block|Fail2Ban blocking traffic from $si SQL Injection attack over SIP\n");
drop();
exit;
}
if($(hdr(Record-Route)[0]{nameaddr.uri}) != $si and $(hdr(Record-Route)[0]{nameaddr.uri}) != $null) {
xlog("$ci|block|Fail2Ban blocking traffic from $si Spoofing attack over SIP\n");
drop();
exit;
}
}
#!endif
}

Write Preview
Loading…
Cancel
Save