Table of Contents
List of Examples
db_url
parametertable_name
parameteraction_col
parametertype_col
parameterdata_col
parameterdst_exact_match
parametersecf_check_ip
usagesecf_check_ua
usagesecf_check_country
usagesecf_check_from_hdr
usagesecf_check_to_hdr
usagesecf_check_contact_hdr
usagesecf_check_dst
usagesecf_check_sqli_hdr
usagesecf_check_sqli_all
usagesecfilter.reload
usagesecfilter.print
usagesecfilter.stats
usagesecfilter.stats_reset
usagesecfilter.add_dst
usagesecfilter.add_bl
usagesecfilter.add_wl
usageTable of Contents
This module has been designed to offer an additional layer of security over our communications. To achieve this, the following features are available:
- Blacklist to block user agents, IP addresses, countries, domains and users.
- Whitelist to allow user agents, IP addresses, countries, domains and users.
- Blacklist of destinations where the called number is not allowed.
- SQL injection attacks prevention.
When a function is called, it will be searched in the whitelist. If the value is not found, then the blacklist will be searched.
All data will be loaded into memory when the module is started. There is an RPC reload command to update all the data from database. It is also possible to add new data to the blacklist or whitelist using other RPC commands.
The following modules must be loaded before this module:
database -- Any db_* database module
Database URL.
Default value is ""
Example 1.1. Set db_url
parameter
... modparam("secfilter", "db_url", "mysql://user:pass@localhost/kamailio") ...
Name of the table used to store the blacklisted and whitelisted values.
Default value is secfilter
Name of database column containing the type of list. The possible values are:
Default value is action
Name of database column containing the type of values. The possible values are:
Default value is type
Name of database column containing blacklisted and whitelisted values.
Default value is data
This value is used in the destinations blacklist and corresponds to the numbers that we want to prevent calling. If the value is 1, the call will appear as blacklisted if the destination is exactly the same. If the value is 0, every destination whose number begins with a number appearing on the destination blacklist will be rejected.
Default value is 1
It checks if the source IP address is blacklisted. The search is aproximate and data stored in the database will be compared as a prefix. For example, if we have blacklisted IP address 192.168.1. all messages from IPs like 192.168.1.% will be rejected.
Return values are:
Example 1.7. secf_check_ip
usage
... secf_check_ip(); if ($? == -2) { xlog("L_ALERT", "$rm from $si blocked because IP address is blacklisted"); exit; } ...
It checks if the user-agent is blacklisted. The search is approximate and the comparison will be made using the values of the database as a prefix. If we add to the user-agent blacklist the word sipcli, every message whose user-agent is named, for example, sipcli/1.6 or sipcli/1.8 will be blocked. It is very useful to block different versions of the same program.
Return values are:
Example 1.8. secf_check_ua
usage
... secf_check_ua(); if ($? == -2) { xlog("L_ALERT", "$rm from $si blocked because UserAgent '$ua' is blacklisted"); exit; } ...
Similar to secf_check_ua. It checks if the country (IP address) is blacklisted. Geoip module must be loaded to get the country code.
Return values are:
Example 1.9. secf_check_country
usage
... if (geoip2_match("$si", "src")) { secf_check_country($gip2(src=>cc)); if ($avp(secfilter) == -2) { xlog("L_ALERT", "$rm from $si blocked because Country '$gip2(src=>cc)' is blacklisted"); exit; } } ...
It checks if any value of from header is blacklisted. It checks if from name or from user are in the users blacklist or whitelist. It also checks if the from domain is in the domains blacklist or whitelist. The blacklisted value will be used as a prefix and if we block, for example, the user sipvicious, all users whose name starts with this word will be considered as blacklisted.
Return values are:
Example 1.10. secf_check_from_hdr
usage
... secf_check_from_hdr(); switch ($?) { case -2: xlog("L_ALERT", "$rm to $si blocked because From user '$fU' is blacklisted"); exit; case -3: xlog("L_ALERT", "$rm to $si blocked because From domain '$fd' is blacklisted"); exit; case -4: xlog("L_ALERT", "$rm to $si blocked because From name '$fn' is blacklisted"); exit; }; ...
Do the same as secf_check_from_hdr function but with the to header.
Return values are:
Example 1.11. secf_check_to_hdr
usage
... secf_check_to_hdr(); switch ($?) { case -2: xlog("L_ALERT", "$rm to $si blocked because To user '$tU' is blacklisted"); exit; case -3: xlog("L_ALERT", "$rm to $si blocked because To domain '$td' is blacklisted"); exit; case -4: xlog("L_ALERT", "$rm to $si blocked because To name '$tn' is blacklisted"); exit; }; ...
Do the same as secf_check_from_hdr function but with the contact header.
Return values are:
Example 1.12. secf_check_contact_hdr
usage
... secf_check_contact_hdr(); switch ($?) { case -2: xlog("L_ALERT", "$rm to $si blocked because Contact user '$ct' is blacklisted"); exit; case -3: xlog("L_ALERT", "$rm to $si blocked because Contact domain '$ct' is blacklisted"); exit; }; ...
It checks if the destination number is blacklisted. It must be user for INVITE messages. If the value of dst_exact_match is 1, the call will appear as blacklisted if the destination is exactly the same. If the value is 0, every destination whose number begins with a number appearing on the destination blacklist will be rejected.
Return values are:
Example 1.13. secf_check_dst
usage
... if (is_method("INVITE")) { secf_check_dst($rU); if ($? == -2) { xlog("L_ALERT", "$rm from $si blocked because destination $rU is blacklisted"); send_reply("403", "Forbidden"); exit; } } ...
Reload all blacklisted and whitelisted values from database.
Print blacklisted and whitelisted values. Without parameters it will print all values. If you enter a type it will print this type values only.
Possible values are:
Example 1.17. secfilter.print
usage
... kamcmd secfilter.print kamcmd secfilter.print ua kamcmd secfilter.print country kamcmd secfilter.print dst ...
Print statistics of blocked and allowed messages.
Reset all statistics.
Insert values into destination blacklist. These values will be checked with the function secf_check_dst to verify if the destination number can be called.
Parameters:
Before running Kamailio with the secfilter module, it is necessary to setup the database table where the module will read the blacklist data from. In order to do that, if the table was not created by the installation script or you choose to install everything by yourself you can use the secfilter-create.sql SQL script in the database directories in the kamailio/scripts folder as a template. Database and table name can be set with module parameters so they can be changed, but the name of the columns must match the ones in the SQL script. You can also find the complete database documentation on the project webpage, https://www.kamailio.org/docs/db-tables/kamailio-db-devel.html.
Example 1.23. Example database content - secfilter table
... +----+-----------+-----------+------------------+ | id | action | type | data | +----+-----------+-----------+------------------+ | 1 | 0 | 2 | 1.1.1.1 | | 2 | 0 | 0 | friendly-scanner | | 3 | 0 | 0 | pplsip | | 4 | 0 | 0 | sipcli | | 5 | 0 | 4 | sipvicious | | 6 | 0 | 1 | ps | | 7 | 0 | 3 | 5.56.57.58 | | 8 | 1 | 0 | asterisk pbx | | 9 | 1 | 2 | sip.mydomain.com | | 10 | 2 | 0 | 555123123 | | 11 | 2 | 0 | 555998776 | +----+-----------+-----------+------------------+ ...
Action values are:
Type values are:
Example 1.24. kamcmd secfilter.print ua
... User-agent ========== [+] Blacklisted ----------- 0001 -> friendly-scanner 0002 -> pplsip 0003 -> sipcli 0004 -> sundayddr 0005 -> iWar 0006 -> sipsak 0007 -> VaxSIPUserAgent 0008 -> SimpleSIP 0009 -> SIP Call 0010 -> Ozeki 0011 -> VoIPSec 0012 -> SIPScan 0013 -> Conaito 0014 -> UsaAirport 0015 -> PortSIP VoIP SDK 0016 -> zxcvfdf11 0017 -> fdgddfg546df4g8d5f [+] Whitelisted ----------- 0001 -> my custom ua ...
Example 1.25. kamcmd secfilter.stats
... Blocked messages (blacklist) ============================ [+] By user-agent : 1256 [+] By country : 45 [+] By from domain : 0 [+] By to domain : 0 [+] By contact domain: 1 [+] By IP address : 2552 [+] By from name : 0 [+] By to name : 0 [+] By contact name : 0 [+] By from user : 316 [+] By to user : 134 [+] By contact user : 0 Allowed messages (whitelist) ============================ [+] By user-agent : 0 [+] By country : 478 [+] By from domain : 0 [+] By to domain : 0 [+] By contact domain: 0 [+] By IP address : 0 [+] By from name : 0 [+] By to name : 0 [+] By contact name : 0 [+] By from user : 0 [+] By to user : 0 [+] By contact user : 0 Other blocked messages ====================== [+] Destinations : 0 [+] SQL injection : 213 ...