######## Generic Hash Table container in shared memory ######## modparam("htable", "htable", "auth_cache=>size=16;autoexpire=7200") modparam("htable", "htable", "failed_auth_hash=>size=14;autoexpire=180;") ####### Authentication Interface module ########## loadmodule "auth.so" ####### User Location Implementation module ########## loadmodule "usrloc.so" modparam("usrloc", "db_mode", 0) modparam("usrloc", "db_update_as_insert", 1) modparam("usrloc", "use_domain", 1) modparam("usrloc", "nat_bflag", FLB_NATB) ######## NAT Traversal module - signaling functions ######## #!ifdef NAT-TRAVERSAL-ROLE #!trydef NATHELPER-LOADED loadmodule "nathelper.so" modparam("nathelper", "natping_interval", 30) modparam("nathelper", "ping_nated_only", 1) modparam("nathelper", "natping_processes", 5) modparam("nathelper", "sipping_bflag", FLB_NATSIPPING) #!endif ####### SIP Registrar implementation module ########## loadmodule "registrar.so" modparam("registrar", "received_avp", "$avp(AVP_RECV_PARAM)") modparam("registrar", "min_expires", 300) modparam("registrar", "max_expires", 3600) ####### Registrar Logic ######## route[HANDLE_REGISTER] { if (is_method("REGISTER")) { #!ifdef TRAFFIC-FILTER-ROLE route(DOMAIN_FORMAT_CHECK); #!endif #!ifdef NAT-TRAVERSAL-ROLE if (nat_uac_test("3")) { xlog("L_INFO", "$ci|log|correcting NATed contact in registration"); force_rport(); fix_nated_register(); } ## KAZOO-1846: Cisco SPA8000 freaks out on options pings if (!($ua =~ "Linksys/SPA8000")) { setbflag(FLB_NATB); setbflag(FLB_NATSIPPING); } #!endif if (is_present_hf("Authorization")) { #!ifdef TRAFFIC-FILTER-ROLE if (!route(PREVENT_BRUTEFORCE)) { auth_challenge("$fd", "0"); exit; } #!endif if ($sht(auth_cache=>$Au) != $null && pv_auth_check("$fd", "$sht(auth_cache=>$Au)", "0", "0")) { xlog("L_INFO", "$ci|log|authenticated $Au via cached SIP creds"); } else { ## RABBITMQ - Credentials fetch $var(amqp_payload_request) = "{'Event-Category' : 'directory' , 'Event-Name' : 'authn_req', 'Method' : 'REGISTER', 'Auth-Realm' : '" + $fd + "', 'Auth-User' : '" + $fU + "', 'From' : '" + $fu + "', 'To' : '" + $tu +"' }"; $var(amqp_routing_key) = "authn.req." + $(fd{kz.encode}); if(kazoo_query("callmgr", $var(amqp_routing_key), $var(amqp_payload_request))) { $var(password) = $(kzR{kz.json,Auth-Password}); if($var(password) != $null) { if (!pv_auth_check("$fd", "$var(password)", "0", "0")) { #!ifdef TRAFFIC-FILTER-ROLE route(FAILED_AUTH_COUNT); #!endif auth_challenge("$fd", "0"); xlog("L_INFO", "$ci|end|failed registration attempt from $si:$sp for $Au"); exit; } else { xlog("L_DBG", "$ci|log|caching SIP credentials for $Au"); $sht(auth_cache=>$Au) = $var(password); } } else { auth_challenge("$fd", "0"); xlog("L_INFO", "$ci|log|error getting password from kazoo response"); exit; } } else { auth_challenge("$fd", "0"); xlog("L_INFO", "$ci|log|error query kazoo for credentials"); exit; } } } else { auth_challenge("$fd", "0"); xlog("L_INFO", "$ci|end|issued new auth challenge to new registration attempt"); exit; } # user authenticated - remove auth header consume_credentials(); save("location"); $var(expires) = @contact.expires; if($var(expires) == $null) { $var(expires) = $hdr(Expires); } if($var(expires) == $null) { $var(expires) = 190; } $var(fs_path) = "%3C" + $rz + "%3A" + $Ri + "%3A" + $Rp + "%3Btransport=" + $proto + "%3Blr%3Breceived=" + $si+":"+$sp+"%3E"; $var(fs_contact) = "<" + $(ct{tobody.uri}) + ";fs_path=" + $var(fs_path) + ">"; if($(ct{tobody.params}) != $null) { $var(fs_contact) = $var(fs_contact) + ";" + $(ct{tobody.params}); } xlog("L_INFO", "$ci|end|successful registration with contact $var(fs_contact)"); $var(register_contants) = " 'Presence-Hosts' : 'n/a', 'Profile-Name' : 'sipinterface_1', 'Status' : 'Registered', 'Event-Timestamp' : '" + $TS + "'"; if($var(expires) != $null) { $var(register_contants) = $var(register_contants) + ", 'Expires' : " + $var(expires); } $var(amqp_payload_request) = "{'Event-Category' : 'directory', 'Event-Name' : 'reg_success', 'Contact' : '" + $var(fs_contact) + "', 'Call-ID' : '" + $ci + "', 'Realm' : '" + $fd +"', 'Username' : '" + $fU + "', 'From-User' : '" + $fU + "', 'From-Host' : '" + $fd + "', 'To-User' : '" + $tU +"', 'To-Host' : '" + $td + "', 'User-Agent' : '" + $ua +"' ," + $var(register_contants)+ " }"; $var(amqp_routing_key) = "registration.success." + $(fd{kz.encode}) + "." + $fU; xlog("L_DBG", "$ci|log|amqp_register_success = $var(amqp_payload_request)"); kazoo_publish("callmgr", $var(amqp_routing_key), $var(amqp_payload_request)); exit; } } # AUTH: check to see if user if present in failed_auth_hash route[PREVENT_BRUTEFORCE] { if (isflagset(FLAG_TRUSTED_SOURCE)) { return(1); } if($sht(failed_auth_hash=>$Au::count) >= 2) { $var(exp) = $Ts - 120; if($sht(failed_auth_hash=>$Au::last) > $var(exp)){ xlog("L_WARN", "$ci|log|possible password brute force, from $ct on user $Au"); return(-1); } else { $sht(failed_auth_hash=>$Au::count) = 0; } } return(1); } #AUTH: add to failed_auth_hash in case of authentication password error route[FAILED_AUTH_COUNT] { if (isflagset(FLAG_TRUSTED_SOURCE)) { return; } if ($rc == -2) { if($sht(failed_auth_hash=>$Au::count) == $null) { $sht(failed_auth_hash=>$Au::count) = 0; } $sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1; $sht(failed_auth_hash=>$Au::last) = $Ts; } } route[DOMAIN_FORMAT_CHECK] { if (isflagset(FLAG_TRUSTED_SOURCE)) { return; } if ($rd =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" || $td =~ "([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})" ) { xlog("L_WARN", "$ci|end|denying request with IP domain in From or To header"); send_reply("403", "Forbidden"); exit; } } # vim: tabstop=4 softtabstop=4 shiftwidth=4 expandtab