Ok. Let's divide overall task onto several little steps.
I. How to implement the following: - when Kamailio receives REGISTER from user in the Internet - Kamailio rewrites IP/UDP headers - it acts with Asterisk on behalf of User, Asterisk should know just Kamailio IP (add "Via"?) - Kamailio remembers [somehow] this dialog (how?) and - retransmits REGISTER to Asterisk - on receiving Unauthorized Kamailio retransmits it to User - this is an intermediate step, no action needed - User repeats steps on Registration with the Nonce - on receiving OK [from Asterisk] for the memorized dialog Kamailio retransmits OK to User and composes User Location - on receiving NOT FOUND, FORBIDDEN, etc Kamailio retransmits SIP answer to User and after several unsuccessful attempts blocks User IP - Fail2Ban completes the rest - inserts new rule Every time Kamailio retransmit SIP packet to the User from Asterisk it HIDES topology (IP/UDP headers and all SIP-related Info from SIP Packets). User should know just about Kamailio as about its counterpart.
How to track SIP REGISTER related messages inside Kamailio?
TO: Yu Boot - is it "standalone" implementation? How do you think? :-)
Kind regards, Ellad
22.10.2018 20:16, Yu Boot пишет:
I can help you with cfg, if you 're ready to implement standalone softswitch on your Kamailio :)
22.10.2018 17:21, Ellad Yatsko пишет:
May you help?.. :-)
Kind regards, Ellad
22.10.2018 17:12, Alex Balashov пишет:
I did not say that my article represents a complete answer to every part of every one of your questions, at every level of abstraction and specificity. Just that it might be helpful. :-)
On Mon, Oct 22, 2018 at 04:40:03PM +0300, Ellad Yatsko wrote:
Dear Alex,
your article is just "general words". :-) There is a couple of questions:
- can my "vision" be completed? - how can it be implemented?
The major problem as I see is to modify algorithm so Kamailio will not check database but will lean on answers of its upstream to generate UL. It should not BALANCE, just forward SIP traffic, ANALYZE answers of Upstream SIP-Server, make decision about attacks and PROXY RTP. It should be more clear definition what I would like to achieve.
I could be confused about exact terminology of "Session Border Controller". But I'd like to implement FRAUD/BruteForce protection of my Asterisk using Kamailio (in the middle) because I heard it highly effective in the point of view of heavy loads. Asterisk might not bear a "tons" of SIP requests (dialogs).
Kind regards, Ellad
22.10.2018 12:07, Alex Balashov пишет:
I hate to plug my own articles, but in this case it might help:
http://www.evaristesys.com/blog/kamailio-as-an-sbc-five-years-on/
-- Sent from mobile. Apologies for brevity and errors.
-----Original Message----- From: Ellad Yatsko eyatsko@ngs.ru To: sr-users@lists.kamailio.org Sent: Mon, 22 Oct 2018 3:28 AM Subject: [SR-Users] Kamailio as SBC
Hello!
I'd like to implement the following diagram:
Users -> Internet -> Kamailio -> Asterisk
- Kamailio has no own users, it just re-writes headers and re-send
REGISTER messages to Asterisk where usres are located.
- Depending on Astersisk's answers Kamailio either form UL (using
original IP from the first, original REGISTER from Users) or translates Asterisk's answer back to Users. If it is error (e.g. forbidden/notfound) Kamailio blocks User's IP (for instance using pike module) and Fail2Ban adds affected IP into IPSet's List to block it by IPTables Permanently.
- INVITEs are translated to Asterisk as to the only Upstream
SIP-Server. And again Errors from Asterisk are processed in the same way as Bad REGISTERs. Pike in conjunction with IPSet/IPTables block affected IPs.
- Astersisk sees all registrations from Internet user as they are
directly behind Kamailio. Kamailio rewirtes headers twice: from Users to Asterisk and from Asterisk to Users - this allows to hide topology from users (they deal ONLY with Kamailio) and block non-static IPs on the Asterisk's side.
Is this possible?
Kind regards, Ellad Yatsko
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users