23 Oct
2018
23 Oct
'18
12:30 p.m.
Ok. Let's divide overall task onto several little steps.
I. How to implement the following:
- when Kamailio receives REGISTER from user in the Internet
- Kamailio rewrites IP/UDP headers - it acts with Asterisk on behalf
of User, Asterisk should know just Kamailio IP (add "Via"?)
- Kamailio remembers [somehow] this dialog (how?) and
- retransmits REGISTER to Asterisk
- on receiving Unauthorized Kamailio retransmits it to User - this is
an intermediate step, no action needed
- User repeats steps on Registration with the Nonce
- on receiving OK [from Asterisk] for the memorized dialog Kamailio
retransmits OK to User and composes User Location
- on receiving NOT FOUND, FORBIDDEN, etc Kamailio retransmits SIP
answer to User and after several unsuccessful attempts blocks User IP
- Fail2Ban completes the rest - inserts new rule
Every time Kamailio retransmit SIP packet to the User from Asterisk it
HIDES topology (IP/UDP headers and all SIP-related Info from SIP
Packets). User should know just about Kamailio as about its counterpart.
How to track SIP REGISTER related messages inside Kamailio?
TO: Yu Boot - is it "standalone" implementation? How do you think? :-)
Kind regards,
Ellad
22.10.2018 20:16, Yu Boot пишет:
I can help you with cfg, if you 're ready to
implement standalone
softswitch on your Kamailio :)
22.10.2018 17:21, Ellad Yatsko пишет:
May you help?.. :-)
Kind regards,
Ellad
22.10.2018 17:12, Alex Balashov пишет:
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users I did not say that my article represents a
complete answer to every
part
of every one of your questions, at every level of abstraction and
specificity. Just that it might be helpful. :-)
On Mon, Oct 22, 2018 at 04:40:03PM +0300, Ellad Yatsko wrote:
> Dear Alex,
>
> your article is just "general words". :-) There is a couple of
> questions:
>
> - can my "vision" be completed?
> - how can it be implemented?
>
> The major problem as I see is to modify algorithm so Kamailio will
> not check
> database but will lean on answers of its upstream to generate
> UL. It should not BALANCE, just forward SIP traffic, ANALYZE
> answers of
> Upstream
> SIP-Server, make decision about attacks and PROXY RTP. It should be
> more
> clear
> definition what I would like to achieve.
>
> I could be confused about exact terminology of "Session Border
> Controller".
> But I'd like to implement FRAUD/BruteForce protection of my
> Asterisk using
> Kamailio (in the middle) because I heard it highly effective in the
> point
> of view of heavy loads. Asterisk might not bear a "tons" of SIP
> requests
> (dialogs).
>
>
>
> Kind regards,
> Ellad
>
>
> 22.10.2018 12:07, Alex Balashov пишет:
>> I hate to plug my own articles, but in this case it might help:
>>
>> http://www.evaristesys.com/blog/kamailio-as-an-sbc-five-years-on/
>>
>> --
>> Sent from mobile. Apologies for brevity and errors.
>>
>> -----Original Message-----
>> From: Ellad Yatsko <eyatsko(a)ngs.ru>
>> To: sr-users(a)lists.kamailio.org
>> Sent: Mon, 22 Oct 2018 3:28 AM
>> Subject: [SR-Users] Kamailio as SBC
>>
>> Hello!
>>
>> I'd like to implement the following diagram:
>>
>> Users -> Internet -> Kamailio -> Asterisk
>>
>> 1. Kamailio has no own users, it just re-writes headers and re-send
>> REGISTER messages to Asterisk where usres are located.
>>
>> 2. Depending on Astersisk's answers Kamailio either form UL (using
>> original IP from the first, original REGISTER from Users) or
>> translates
>> Asterisk's answer back to Users. If it is error (e.g.
>> forbidden/notfound) Kamailio blocks User's IP (for instance using
>> pike
>> module) and Fail2Ban adds affected IP into IPSet's List to block
>> it by
>> IPTables Permanently.
>>
>> 3. INVITEs are translated to Asterisk as to the only Upstream
>> SIP-Server. And again Errors from Asterisk are processed in the
>> same way
>> as Bad REGISTERs. Pike in conjunction with IPSet/IPTables block
>> affected
>> IPs.
>>
>> 4. Astersisk sees all registrations from Internet user as they are
>> directly behind Kamailio. Kamailio rewirtes headers twice: from
>> Users to
>> Asterisk and from Asterisk to Users - this allows to hide topology
>> from
>> users (they deal ONLY with Kamailio) and block non-static IPs on the
>> Asterisk's side.
>>
>> Is this possible?
>>
>> Kind regards,
>> Ellad Yatsko
>>
>>
>>
>>
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users(a)lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users(a)lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users(a)lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users