ruhnet
/
kazoo-configs-kamailio
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 183 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1086 Commits
23 Branches
2.0 MiB
 
 
Tree: 1a4e4f7a03
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1a4e4f7a03'
${ noResults }
kazoo-configs-kamailio/kamailio/extra-traffic-filter-role.cfg

81 lines
2.8 KiB
Raw Blame History

####### Extra Traffic Filter Role Configuration ########
# Define default values for configuration options if not set in local.cfg
#!ifndef ETFR_BAN_DURATION
#!define ETFR_BAN_DURATION 1800
#!endif
# Define Bad User-Agent Patterns
#!ifndef ETFR_BAD_UA_PATTERNS
#!define ETFR_BAD_UA_PATTERNS "friendly-scanner|sipcli|sipsak|VaxSIPUserAgent|iWar|CSipSimple|sipvicious|sip-scan|svmap|VaxIPUserAgent|sundayddr|sipv|smap|PSYCHO|iPing|DiSipell|WebSipp|masscan|zmap|SIPBot|friendly-request|siparmyknife"
#!endif
#!substdef "!ETFR_SUBST_BAD_UA_PATTERNS!$def(ETFR_BAD_UA_PATTERNS)!g"
# Define SQL Injection Patterns
#!ifndef ETFR_SQL_INJECTION_PATTERNS
#!define ETFR_SQL_INJECTION_PATTERNS "([';]+|(--)+|(%27)+|(%23)+|(%24)+|[;]+|[']+)"
#!endif
# Initialize htable for banned IPs
#!substdef "!ETFR_SUBST_BAN_DURATION!$def(ETFR_BAN_DURATION)!g"
modparam("htable", "htable", "etfr_banned_ips=>size=8;autoexpire=ETFR_SUBST_BAN_DURATION")
route[EXTRA_FILTER_REQUEST] {
# Check if the source IP is banned
if ($sht(etfr_banned_ips=>$si)) {
xlog("L_WARN", "$ci|Fail2Ban| Dropping request from banned IP: $si\n");
exit;
}
# Proceed with INVITE filtering
if (is_method("INVITE")) {
# Extract the domain from the Request URI
$var(domain) = $rd;
# Check if the domain is an IP address
if ($var(domain) =~ "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$") {
# Check if the source IP is in the carrier group
if (!(allow_source_address(1) || allow_source_address(10))) {
# Source IP is not a carrier, ban the IP
xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: INVITE with IP domain from untrusted source\n");
route(ETFR_BAN_IP);
} else {
xlog("L_WARN", "$ci|ETFR| Allowing Carrier IP: $si\n");
return;
}
}
# Check if the Request URI contains user '1000'
if ($rU == "1000") {
xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: Attempt to call user 1000\n");
route(ETFR_BAN_IP);
}
}
# Check for known bad User-Agents
if ($ua =~ "(ETFR_SUBST_BAD_UA_PATTERNS)") {
xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: Known bad User-Agent: $ua\n");
route(ETFR_BAN_IP);
}
# Check for SQL injection patterns in SIP message
if ($rb =~ "(ETFR_SQL_INJECTION_PATTERNS)" || $ru =~ "(ETFR_SQL_INJECTION_PATTERNS)") {
xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: SQL injection attempt\n");
route(ETFR_BAN_IP);
}
return;
}
# Ban IP Route
route[ETFR_BAN_IP] {
# Add source IP to banned IPs table with auto-expire
$sht(etfr_banned_ips=>$si) = $Ts;
# Log the event for Fail2Ban
xlog("L_ALERT", "$ci|end| Added IP $si to etfr_banned_ips htable\n");
# Drop the request
exit;
}