HELP-22885 anti-flood role may block media servers

fix antiflood reset auth
removed the "sip:" prefix
--- a/kamailio/acl-role.cfg
+++ b/kamailio/acl-role.cfg
@ -82,7 +82,7 @@ route[ACL_CHECK] {
        else
            $var(query) = "{'Event-Category': 'acl', 'Event-Name': 'query', 'Entity': '" + $var(realm) + "'}";
        xlog("L_DBG", "$ci|ACL log|Query: $var(query)");
        sl_send_reply("100", "Attempting Kazoo query");
        sl_send_reply("100", "Attempting K query");
        if (kazoo_query("frontier", "sbc_config", $var(query), "$var(acl-response)")) {
            xlog("L_DBG", "$ci|ACL log|Response: $var(acl-response)");

--- a/kamailio/antiflood-role.cfg
+++ b/kamailio/antiflood-role.cfg
@ -1,11 +1,16 @@

 #!trydef ANTIFLOOD_RATE_WINDOW 2
 #!trydef ANTIFLOOD_RATE_DENSITY 50
 #!trydef ANTIFLOOD_RATE_EXPIRE 4
 #!trydef ANTIFLOOD_FAILED_AUTH_WINDOW 120
 #!trydef ANTIFLOOD_FAILED_AUTH_DENSITY 3
 #!trydef ANTIFLOOD_FAILED_AUTH_WINDOW 300
 #!trydef ANTIFLOOD_FAILED_AUTH_DENSITY 4

 #!ifndef ANTIFLOOD_CACHE_PERIOD
 #!substdef "!ANTIFLOOD_CACHE_PERIOD!600!g"
 #!endif

 ######## Flood Prevention Hash Tables ########
 modparam("htable", "htable", "failed_auth_hash=>size=8;autoexpire=3600;")
 modparam("htable", "htable", "antiflood=>size=16;autoexpire=ANTIFLOOD_CACHE_PERIOD;initval=0")

 ######## Flood Prevention Module ########
 loadmodule "pike.so"
@ -16,7 +21,9 @@ modparam("pike", "remove_latency", ANTIFLOOD_RATE_EXPIRE)

 route[ANTIFLOOD_RATE_LIMIT]
 {
    if (has_totag() || isflagset(FLAG_TRUSTED_SOURCE)) {
    if (has_totag()
        || isflagset(FLAG_TRUSTED_SOURCE)
        || isflagset(FLAG_INTERNALLY_SOURCED)) {
        return;
    }

@ -30,29 +37,33 @@ route[ANTIFLOOD_RATE_LIMIT]

 route[ANITFLOOD_AUTH_LIMIT]
 {
    if (isflagset(FLAG_TRUSTED_SOURCE)) {
    if (has_totag()
        || isflagset(FLAG_TRUSTED_SOURCE)
        || isflagset(FLAG_INTERNALLY_SOURCED)) {
        return(1);
    }

    if ($Au != $null &&
        $sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
        $sht(antiflood=>$Au::$si::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
    ) {
        $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
            xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
            drop();
            exit;
        } else {
            $sht(failed_auth_hash=>$Au::count) = 0;
        }
        xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
        $shtex(antiflood=>$Au::$si::count) = ANTIFLOOD_FAILED_AUTH_WINDOW;
        $sht(antiflood=>$Au::$si::last) = $Ts;
        append_to_reply("Retry-After: 3600\r\n");
        send_reply("500", "Retry Later");
        exit;
    }
 }

 route[ANTIFLOOD_SUCCESSFUL_AUTH]
 {
    if ($Au != $null && $sht(failed_auth_hash=>$Au::count) != $null) {
        $sht(failed_auth_hash=>$Au::count) = 0;
    }
    sht_rm_name_re("antiflood=>$(Au{re.subst,/\\./\\\\./g})::$(si{re.subst,/\\./\\\\./g})::.*");
 }

 route[ANTIFLOOD_RESET_AUTH]
 {
    $var(user) = $(kzE{kz.json,Username}) + "@" + $(kzE{kz.json,Realm});
    sht_rm_name_re("antiflood=>$(var(user){re.subst,/\\./\\\\./g})::.*");
 }

 route[ANITFLOOD_FAILED_AUTH]
@ -61,21 +72,23 @@ route[ANITFLOOD_FAILED_AUTH]
        return;
    }

    if($sht(failed_auth_hash=>$Au::count) == $null) {
        $sht(failed_auth_hash=>$Au::count) = 0;
    }

    $sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1;
    $sht(failed_auth_hash=>$Au::last) = $Ts;
    $var(count) = $shtinc(antiflood=>$Au::$si::count);
    $sht(antiflood=>$Au::$si::last) = $Ts;

    xlog("L_INFO", "$ci|log|$sht(failed_auth_hash=>$Au::count) errounous authorization response for $Au $si:$sp");
    xlog("L_INFO", "$ci|log|$var(count) errounous authorization response for $Au $si:$sp");

   if ($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { 
   if ($var(count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { 
        $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
            xlog("L_INFO", "$ci|end|registration forbidden $Au $si:$sp");
            send_reply("403", "Forbidden");
        if($sht(antiflood=>$Au::$si::last) > $var(exp)){
            xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
            append_to_reply("Retry-After: 3600\r\n");
            send_reply("500", "Retry Later");
            exit;
        }
  }
 }

 event_route[htable:expired:antiflood] 
 {
    xlog("L_NOTICE", "antiflood expired record $shtrecord(key) => $shtrecord(value)\n");
 }
--- a/kamailio/dispatcher-role.cfg
+++ b/kamailio/dispatcher-role.cfg
@ -32,11 +32,15 @@ modparam("dispatcher", "ds_ping_from", "sip:sipcheck@MY_IP_ADDRESS")
 ####### Dispatcher Logic ########
 route[DISPATCHER_CLASSIFY_SOURCE]
 {
    if (ds_is_from_list(1, 3) ||
        ds_is_from_list(2, 3) ||
        ds_is_from_list(3, 3) ||
        ds_is_from_list(10, 3) ||
        ds_is_from_list(20, 3)) {
    if (is_myself("$ou")) {
        xlog("L_INFO", "$ci|log|original R-URI ($ou) is this proxy, treating as external sources");
    } else if (
      ds_is_from_list(1, 3) ||
      ds_is_from_list(2, 3) ||
      ds_is_from_list(3, 3) ||
      ds_is_from_list(10, 3) ||
      ds_is_from_list(20, 3)
    ) {
        xlog("L_INFO", "$ci|log|originated from internal sources");

        setflag(FLAG_INTERNALLY_SOURCED);
--- a/kamailio/fast-pickup-role.cfg
+++ b/kamailio/fast-pickup-role.cfg
@ -1,5 +1,5 @@
 ######## FAST PICKUP ROLE ########
 modparam("htable", "htable", "park=>size=4;autoexpire=600")
 modparam("htable", "htable", "park=>size=16;autoexpire=600")
 modparam("htable", "htable", "fp=>size=32;autoexpire=3600;");

 route[FAST_PICKUP_ATTEMPT]
@ -35,7 +35,7 @@ route[FAST_PICKUP_ATTEMPT]
       xlog("L_INFO", "$ci|log|replaces call-id $var(replaced_call_id)");
       $var(amqp_payload_request) = '{"Event-Category" : "call_event" , "Event-Name" : "channel_status_req", "Call-ID" : "' + $var(replaced_call_id) + '", "Active-Only" : true }';
       $var(amqp_routing_key) = "call.status_req." + $(var(replaced_call_id){kz.encode});
       sl_send_reply("100", "Attempting Kazoo query");
       sl_send_reply("100", "Attempting K query");
       if(kazoo_query("callevt", $var(amqp_routing_key), $var(amqp_payload_request))) {
           $du = $(kzR{kz.json,Switch-URL});
           if($du != $null) {
@ -85,13 +85,17 @@ route[FAST_PICKUP_INIT]
 {
    $var(AppName) = $(kzE{kz.json,App-Name});
    if($var(AppName) == "park") {
       $var(Pickup) =  ";kazoo-pickup=true";
       $var(Pickup) =  ";a-leg=true";
    } else {
      if($(kzE{kz.json,State}) == "confirmed"){
        $var(Pickup) =  ";early-only=true";
      } else {
       $var(Pickup) =  "";
      }
    }
    $sht(fp=>$(kzE{kz.json,Call-Cookie})::Switch-URI) = $(kzE{kz.json,Switch-URI});
    $sht(fp=>$(kzE{kz.json,Call-Cookie})::Call-ID) = $(kzE{kz.json,Target-Call-ID});
    $sht(fp=>$(kzE{kz.json,Call-Cookie})::URI) = "sip:" + $(kzE{kz.json,From-User}) + "@" + $(kzE{kz.json,To-Realm}) + $var(Pickup);
    $sht(fp=>$(kzE{kz.json,Call-Cookie})::Call-ID) = $(kzE{kz.json,Target-Call-ID}) + $var(Pickup);
    $sht(fp=>$(kzE{kz.json,Call-Cookie})::URI) = "sip:" + $(kzE{kz.json,From-User}) + "@" + $(kzE{kz.json,To-Realm}) ;    
 }

 # vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab
--- a/kamailio/pusher-role.cfg
+++ b/kamailio/pusher-role.cfg
@ -15,7 +15,7 @@ route[INTERNAL_TO_EXTERNAL_PUSH]
 			$var(RoutingKey) = "notification.push." + $var(TokenType) + "." + $var(TokenID);
 			$var(exchange) = "pushes";
 			$avp(kz_timeout) = 20000;
 			sl_send_reply("100", "Attempting Kazoo query");
 			sl_send_reply("100", "Attempting K query");
 			kazoo_query($var(exchange), $var(RoutingKey), $var(Payload));
 		}

--- a/kamailio/rate-limiter-role.cfg
+++ b/kamailio/rate-limiter-role.cfg
@ -105,7 +105,7 @@ route[DOS_PREVENTION] {

        avp_printf("$avp(s:query-request)", "{\"Entity\" : \"$var(entity)\", \"$var(method-key)\" : $var(method-value), \"Event-Category\" : \"rate_limit\", \"Event-Name\" : \"query\", \"With-Realm\" : $var(with-realm-request)}");
        xlog("L_INFO", "$ci|RL log| Query: $avp(s:query-request)");
        sl_send_reply("100", "Attempting Kazoo query");
        sl_send_reply("100", "Attempting K query");
        if (kazoo_query("frontier", "sbc_config", $avp(s:query-request), "$var(amqp_result)")) {
            xlog("L_INFO", "$ci|RL log| Response: $var(amqp_result)");

--- a/kamailio/registrar-role.cfg
+++ b/kamailio/registrar-role.cfg
@ -82,13 +82,16 @@ route[ATTEMPT_AUTHORIZATION]
    } else {
        $var(amqp_payload_request) = "{'Event-Category' : 'directory' , 'Event-Name' : 'authn_req', 'Method' : 'REGISTER', 'Auth-Realm' : '" + $fd + "', 'Auth-User' : '" + $fU + "', 'From' : '" + $fu + "', 'To' : '" + $tu +"' }";
        $var(amqp_routing_key) = "authn.req." + $(fd{kz.encode});
        sl_send_reply("100", "Attempting Kazoo query");
        sl_send_reply("100", "Attempting K query");
        if(kazoo_query("callmgr", $var(amqp_routing_key), $var(amqp_payload_request))) {
            $var(password) = $(kzR{kz.json,Auth-Password});
            $xavp(ulattrs=>custom_channel_vars) = $(kzR{kz.json,Custom-Channel-Vars});
            xlog("L_INFO", "$ci|log|authenticating $Au via Kazoo query response");
        } else {
            xlog("L_INFO", "$ci|log|failed to query Kazoo for authentication credentials for $Au $si:$sp");
            append_to_reply("Retry-After: 60\r\n");
            sl_send_reply("500", "Retry Later");
            exit;
        }
    }

@ -202,6 +205,11 @@ event_route[kazoo:consumer-event-directory-reg-flush]
        xlog("L_INFO", "log|removing SIP credentials cache for $var(user)");
        $sht(auth_cache=>$var(user)) = $null;
    }

    #!ifdef ANTIFLOOD-ROLE
    route(ANTIFLOOD_RESET_AUTH);
    #!endif

 }

 # vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab
--- a/system/logrotate.d/rabbitmq.conf
+++ b/system/logrotate.d/rabbitmq.conf
@ -0,0 +1,12 @@
 /var/log/rabbitmq/*.log {
        weekly
        missingok
        rotate 20
        compress
        delaycompress
        notifempty
        sharedscripts
        postrotate
            /sbin/service rabbitmq-server rotate-logs > /dev/null
        endscript
 }
Author	SHA1	Message	Date
lazedo	a5ae706c1b	HELP-22885 anti-flood role may block media servers	10 years ago
lazedo	e2d5435354	fix antiflood reset auth removed the "sip:" prefix	10 years ago
Luis Azedo	dc0d22b767	KAZOO-4435 backport	10 years ago
bitbashing	6d2bd23243	Merge pull request #59 from alanrevans/rabbitmq-config Add a log rotate config file rabbitmq	10 years ago
Luis Azedo	bd867271c6	Revert "Fix only in registrar-role.cfg" This reverts commit `25daa78656`.	10 years ago
Alan Evans	3680a270c5	Add a log rotate config file rabbitmq	10 years ago
Sergey Korobkov	25daa78656	Fix only in registrar-role.cfg	10 years ago
lazedo	25fe005796	KAZOO-4014 antiflood	11 years ago
Darren Schreiber	e1f0053274	Re-white-label-ish the Kamailio SIP replies - KAZOO-4059	11 years ago
karl anderson	942e76ff96	KAZOO-3792: tweak antiflood default parameters	11 years ago
karl anderson	4e87c549a2	Merge remote-tracking branch 'origin/KAZOO-3792' into 3.20	11 years ago
karl anderson	bb60dbbef9	Merge branch 'KAZOO-3840-1' into 3.20	11 years ago
lazedo	d159f692fb	KAZOO-3792 Retry-After on amqp error	11 years ago
lazedo	d9d036ef54	Merge pull request #46 from 2600hz/KAZOO-3491 KAZOO-3491: if the request is to the proxy directly treat it as an ex…	11 years ago
Darren Schreiber	b0a3b4d8de	KAZOO-3773: Adding loose_route check before sending NOTIFY to remove Route: headers and other such routing information and process it properly.	11 years ago
karl anderson	6fa71afc1a	KAZOO-3491: if the request is to the proxy directly treat it as an external source	11 years ago