ruhnet
/
kazoo-configs-kamailio
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 183 Wiki Activity
Browse Source

registrar-role.cfg: DOS prevention 

- reject Register to IP domain
- check for brute force attack - allow only two consecutive attempts to
  authenticate. If both failed block the account for 2 minutes.
3.17
Anca Vamanu 12 years ago
parent
033eeb46f4
commit
f48ad99a3f
1 changed files with 50 additions and 1 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +50
    -1
      kamailio/registrar-role.cfg

+ 50
- 1
kamailio/registrar-role.cfg View File

@ -2,6 +2,7 @@
######## Generic Hash Table container in shared memory ######## ######## Generic Hash Table container in shared memory ########
modparam("htable", "htable", "auth_cache=>size=16;autoexpire=7200") modparam("htable", "htable", "auth_cache=>size=16;autoexpire=7200")
modparam("htable", "htable", "failed_auth_hash=>size=14;autoexpire=180;")
####### Authentication Interface module ########## ####### Authentication Interface module ##########
loadmodule "auth.so" loadmodule "auth.so"
@ -37,6 +38,9 @@ modparam("registrar", "received_avp", "$avp(AVP_RECV_PARAM)")
route[HANDLE_REGISTER] route[HANDLE_REGISTER]
{ {
if (is_method("REGISTER")) { if (is_method("REGISTER")) {
route(DOMAIN_FORMAT_CHECK);
#!ifdef NAT-TRAVERSAL-ROLE #!ifdef NAT-TRAVERSAL-ROLE
if (nat_uac_test("3")) { if (nat_uac_test("3")) {
xlog("L_INFO", "$ci|log|Correcting NATed contact in registration\n"); xlog("L_INFO", "$ci|log|Correcting NATed contact in registration\n");
@ -50,11 +54,18 @@ route[HANDLE_REGISTER]
#!endif #!endif
if (is_present_hf("Authorization")) { if (is_present_hf("Authorization")) {
if (!route(PREVENT_BRUTEFORCE)) {
auth_challenge("$fd", "0");
exit;
}
if ($sht(auth_cache=>$Au) != $null && pv_auth_check("$fd", "$sht(auth_cache=>$Au)", "0", "0")) { if ($sht(auth_cache=>$Au) != $null && pv_auth_check("$fd", "$sht(auth_cache=>$Au)", "0", "0")) {
xlog("L_INFO", "$ci|log|Authenticated $Au via cached SIP creds\n"); xlog("L_INFO", "$ci|log|Authenticated $Au via cached SIP creds\n");
} else { } else {
## RABBITMQ - Credentials fetch ## RABBITMQ - Credentials fetch
if (!auth_check("$fd", "subscriber", "1")) { if (!auth_check("$fd", "subscriber", "1")) {
route(FAILED_AUTH_COUNT);
auth_challenge("$fd", "0"); auth_challenge("$fd", "0");
xlog("L_INFO", "$ci|log|Issued new auth challenge to failed registration attempt\n"); xlog("L_INFO", "$ci|log|Issued new auth challenge to failed registration attempt\n");
exit; exit;
@ -77,4 +88,42 @@ route[HANDLE_REGISTER]
} }
} }
## vim:set tabstop=4 softtabstop=4 shiftwidth=4 expandtab
# AUTH: check to see if user if present in failed_auth_hash
route[PREVENT_BRUTEFORCE]
{
if($sht(failed_auth_hash=>$Au::count) >= 2) {
$var(exp) = $Ts - 120;
if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
xlog("L_ERR", "Possible password brute force, from $ct on user $Au");
return(-1);
} else {
$sht(failed_auth_hash=>$Au::count) = 0;
}
}
return(1);
}
#AUTH: add to failed_auth_hash in case of authentication password error
route[FAILED_AUTH_COUNT]
{
if ($rc == -2) {
if($sht(failed_auth_hash=>$Au::count) == $null) {
$sht(failed_auth_hash=>$Au::count) = 0;
}
$sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1;
$sht(failed_auth_hash=>$Au::last) = $Ts;
}
}
route[DOMAIN_FORMAT_CHECK]
{
if ($rd =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" ||
$td =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3}" ) {
send_reply("403", "Forbidden");
exit;
}
}
# vim:tabstop=4 softtabstop=4 shiftwidth=4 expandtab

Write Preview
Loading…
Cancel
Save