route[FILTER_REQUEST] { # allow request from internal network or from whitelist if (isflagset(FLAG_TRUSTED_SOURCE)) { return; } # drop requests with no To domain or IP To domain (friendly-scanner) if (is_method("REGISTER|SUBSCRIBE")) { route(FILTER_TO_DOMAIN); route(FILTER_FROM_DOMAIN); } # drop Invite with IP auth realm if (is_method("INVITE")) { route(FILTER_REQUEST_DOMAIN); route(FILTER_AUTHORIZATION_DOMAIN); } } route[FILTER_REQUEST_DOMAIN] { if ($rd =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}") { xlog("L_WARN", "$ci|end|dropping $rm request with IP domain\n"); drop(); exit(); } } route[FILTER_AUTHORIZATION_DOMAIN] { if (is_present_hf("Proxy-Authorization") && $ar =~ "[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}" ) { xlog("L_WARN", "$ci|end|dropping request with IP domain in Proxy-Authorization header\n"); drop(); exit; } } route[FILTER_FROM_DOMAIN] { if ($fd =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})") { xlog("L_WARN", "$ci|end|dropping request with IP domain in From header\n"); drop(); exit; } } route[FILTER_TO_DOMAIN] { if ($td =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})") { xlog("L_WARN", "$ci|end|dropping request with IP domain in To header\n"); drop(); exit; } } route[CCP_SECURITY_CHECKS] { #!ifdef WITH_CCP_SECURITY_CHECKS if (is_method("INVITE|REGISTER")) { if($ua =~ "(friendly-scanner|sipvicious|pplsip)") { xlog("$ci|block|Fail2Ban blocking traffic from $si Script Kiddie trying to exploit\n"); drop(); exit; } if($au =~ "(\=)|(\-\-)|(')|(\#)|(\%27)|(\%24)" and $au != $null) { xlog("$ci|block|Fail2Ban blocking traffic from $si SQL Injection attack over SIP\n"); drop(); exit; } if($(hdr(Record-Route)[0]{nameaddr.uri}) != $si and $(hdr(Record-Route)[0]{nameaddr.uri}) != $null) { xlog("$ci|block|Fail2Ban blocking traffic from $si Spoofing attack over SIP\n"); drop(); exit; } } #!endif }