Table of Contents
List of Examples
db_url parametertable_name parameteraction_col parametertype_col parameterdata_col parameterdst_exact_match parameterreload_delta parametercleanup_interval parametersecf_check_ip usagesecf_check_ua usagesecf_check_country usagesecf_check_from_hdr usagesecf_check_to_hdr usagesecf_check_contact_hdr usagesecf_check_dst usagesecf_check_sqli_hdr usagesecf_check_sqli_all usagesecfilter.reload usagesecfilter.print usagesecfilter.stats usagesecfilter.stats_reset usagesecfilter.add_dst usagesecfilter.add_bl usagesecfilter.add_wl usageTable of Contents
This module has been designed to offer an additional layer of security over our communications. To achieve this, the following features are available:
- Blacklist to block user agents, IP addresses, countries, domains and users.
- Whitelist to allow user agents, IP addresses, countries, domains and users.
- Blacklist of destinations where the called number is not allowed.
- SQL injection attacks prevention.
When a function is called, it will be searched in the whitelist. If the value is not found, then the blacklist will be searched.
All data will be loaded into memory when the module is started. There is an RPC reload command to update all the data from database. It is also possible to add new data to the blacklist or whitelist using other RPC commands.
The following modules must be loaded before this module:
database -- Any db_* database module
Database URL.
Default value is ""
Example 1.1. Set db_url parameter
...
modparam("secfilter", "db_url", "mysql://user:pass@localhost/kamailio")
...
Name of the table used to store the blacklisted and whitelisted values.
Default value is secfilter
Name of database column containing the type of list. The possible values are:
Default value is action
Name of database column containing the type of values. The possible values are:
Default value is type
Name of database column containing blacklisted and whitelisted values.
Default value is data
This value is used in the destinations blacklist and corresponds to the numbers that we want to prevent calling. If the value is 1, the call will appear as blacklisted if the destination is exactly the same. If the value is 0, every destination whose number begins with a number appearing on the destination blacklist will be rejected.
Default value is 1
The number of seconds that have to be waited before executing a new RPC reload. By default there is a rate limiting of maximum one reload in five seconds. If set to 0, no rate limit is configured.
Default value is 5
It checks if the source IP address is blacklisted. The search is approximate and data stored in the database will be compared as a prefix. For example, if we have blacklisted IP address 192.168.1. all messages from IPs like 192.168.1.% will be rejected.
Return values are:
Example 1.9. secf_check_ip usage
...
secf_check_ip();
if ($? == -2) {
xlog("L_ALERT", "$rm from $si blocked because IP address is blacklisted");
exit;
}
...
It checks if the user-agent is blacklisted. The search is approximate and the comparison will be made using the values of the database as a prefix. If we add to the user-agent blacklist the word sipcli, every message whose user-agent is named, for example, sipcli/1.6 or sipcli/1.8 will be blocked. It is very useful to block different versions of the same program.
Return values are:
Example 1.10. secf_check_ua usage
...
secf_check_ua();
if ($? == -2) {
xlog("L_ALERT", "$rm from $si blocked because UserAgent '$ua' is blacklisted");
exit;
}
...
Similar to secf_check_ua. It checks if the country (IP address) is blacklisted. Geoip module must be loaded to get the country code.
Return values are:
Example 1.11. secf_check_country usage
...
if (geoip2_match("$si", "src")) {
secf_check_country($gip2(src=>cc));
if ($avp(secfilter) == -2) {
xlog("L_ALERT", "$rm from $si blocked because Country '$gip2(src=>cc)' is blacklisted");
exit;
}
}
...
It checks if any value of from header is blacklisted. It checks if from name or from user are in the users blacklist or whitelist. It also checks if the from domain is in the domains blacklist or whitelist. The blacklisted value will be used as a prefix and if we block, for example, the user sipvicious, all users whose name starts with this word will be considered as blacklisted.
Return values are:
Example 1.12. secf_check_from_hdr usage
...
secf_check_from_hdr();
switch ($?) {
case -2:
xlog("L_ALERT", "$rm to $si blocked because From user '$fU' is blacklisted");
exit;
case -3:
xlog("L_ALERT", "$rm to $si blocked because From domain '$fd' is blacklisted");
exit;
case -4:
xlog("L_ALERT", "$rm to $si blocked because From name '$fn' is blacklisted");
exit;
};
...
Do the same as secf_check_from_hdr function but with the to header.
Return values are:
Example 1.13. secf_check_to_hdr usage
...
secf_check_to_hdr();
switch ($?) {
case -2:
xlog("L_ALERT", "$rm to $si blocked because To user '$tU' is blacklisted");
exit;
case -3:
xlog("L_ALERT", "$rm to $si blocked because To domain '$td' is blacklisted");
exit;
case -4:
xlog("L_ALERT", "$rm to $si blocked because To name '$tn' is blacklisted");
exit;
};
...
Do the same as secf_check_from_hdr function but with the contact header.
Return values are:
Example 1.14. secf_check_contact_hdr usage
...
secf_check_contact_hdr();
switch ($?) {
case -2:
xlog("L_ALERT", "$rm to $si blocked because Contact user '$ct' is blacklisted");
exit;
case -3:
xlog("L_ALERT", "$rm to $si blocked because Contact domain '$ct' is blacklisted");
exit;
};
...
It checks if the destination number is blacklisted. It must be user for INVITE messages. If the value of dst_exact_match is 1, the call will appear as blacklisted if the destination is exactly the same. If the value is 0, every destination whose number begins with a number appearing on the destination blacklist will be rejected.
Return values are:
Example 1.15. secf_check_dst usage
...
if (is_method("INVITE")) {
secf_check_dst($rU);
if ($? == -2) {
xlog("L_ALERT", "$rm from $si blocked because destination $rU is blacklisted");
send_reply("403", "Forbidden");
exit;
}
}
...
Reload all blacklisted and whitelisted values from database.
Print blacklisted and whitelisted values. Without parameters it will print all values. If you enter a type it will print this type values only.
Possible values are:
Example 1.19. secfilter.print usage
... kamcmd secfilter.print kamcmd secfilter.print ua kamcmd secfilter.print country kamcmd secfilter.print dst ...
Print statistics of blocked and allowed messages.
Reset all statistics.
Insert values into destination blacklist. These values will be checked with the function secf_check_dst to verify if the destination number can be called.
Parameters:
Before running Kamailio with the secfilter module, it is necessary to setup the database table where the module will read the blacklist data from. In order to do that, if the table was not created by the installation script or you choose to install everything by yourself you can use the secfilter-create.sql SQL script in the database directories in the kamailio/scripts folder as a template. Database and table name can be set with module parameters so they can be changed, but the name of the columns must match the ones in the SQL script. You can also find the complete database documentation on the project webpage, https://www.kamailio.org/docs/db-tables/kamailio-db-devel.html.
Example 1.25. Example database content - secfilter table
... +----+-----------+-----------+------------------+ | id | action | type | data | +----+-----------+-----------+------------------+ | 1 | 0 | 2 | 1.1.1.1 | | 2 | 0 | 0 | friendly-scanner | | 3 | 0 | 0 | pplsip | | 4 | 0 | 0 | sipcli | | 5 | 0 | 4 | sipvicious | | 6 | 0 | 1 | ps | | 7 | 0 | 3 | 5.56.57.58 | | 8 | 1 | 0 | asterisk pbx | | 9 | 1 | 2 | sip.mydomain.com | | 10 | 2 | 0 | 555123123 | | 11 | 2 | 0 | 555998776 | +----+-----------+-----------+------------------+ ...
Action values are:
Type values are:
Example 1.26. kamcmd secfilter.print ua
...
{
User-Agent: {
Blacklisted: {
Value: friendly-scanner
Value: pplsip
Value: sipcli
Value: sundayddr
Value: iWar
Value: sipsak
Value: VaxSIPUserAgent
Value: SimpleSIP
Value: SIP Call
Value: Ozeki
Value: VoIPSec
Value: SIPScan
Value: Conaito
Value: UsaAirport
Value: PortSIP VoIP SDK
Value: zxcvfdf11
Value: fdgddfg546df4g8d5f
Value: siptest
Value: Nmap NSE
}
Whitelisted: {
Value: my custom ua
}
}
}
...
Example 1.27. kamcmd secfilter.stats
...
{
Blacklist: {
User-Agent: 1256
Country: 45
From-Domain: 0
To-Domain: 0
Contact-Domain: 1
IP-Address: 2552
From-Name: 0
To-Name: 0
Contact-Name: 0
From-User: 316
To-User: 0134
Contact-User: 0
}
Whitelist: {
User-Agent: 0
Country: 478
From-Domain: 0
To-Domain: 0
Contact-Domain: 0
IP-Address: 0
From-Name: 0
To-Name: 0
Contact-Name: 0
From-User: 0
To-User: 0
Contact-User: 0
}
Other: {
Destination: 0
SQL-Injection: 213
}
}
...