Dear Alex,
your article is just "general words". :-) There is a couple of questions:
- can my "vision" be completed?
- how can it be implemented?
The major problem as I see is to modify algorithm so Kamailio will not check
database but will lean on answers of its upstream to generate
UL. It should not BALANCE, just forward SIP traffic, ANALYZE answers of
Upstream
SIP-Server, make decision about attacks and PROXY RTP. It should be more
clear
definition what I would like to achieve.
I could be confused about exact terminology of "Session Border Controller".
But I'd like to implement FRAUD/BruteForce protection of my Asterisk using
Kamailio (in the middle) because I heard it highly effective in the point
of view of heavy loads. Asterisk might not bear a "tons" of SIP requests
(dialogs).
Kind regards,
Ellad
22.10.2018 12:07, Alex Balashov пишет:
I hate to plug my own articles, but in this case it
might help:
http://www.evaristesys.com/blog/kamailio-as-an-sbc-five-years-on/
--
Sent from mobile. Apologies for brevity and errors.
-----Original Message-----
From: Ellad Yatsko <eyatsko(a)ngs.ru>
To: sr-users(a)lists.kamailio.org
Sent: Mon, 22 Oct 2018 3:28 AM
Subject: [SR-Users] Kamailio as SBC
Hello!
I'd like to implement the following diagram:
Users -> Internet -> Kamailio -> Asterisk
1. Kamailio has no own users, it just re-writes headers and re-send
REGISTER messages to Asterisk where usres are located.
2. Depending on Astersisk's answers Kamailio either form UL (using
original IP from the first, original REGISTER from Users) or translates
Asterisk's answer back to Users. If it is error (e.g.
forbidden/notfound) Kamailio blocks User's IP (for instance using pike
module) and Fail2Ban adds affected IP into IPSet's List to block it by
IPTables Permanently.
3. INVITEs are translated to Asterisk as to the only Upstream
SIP-Server. And again Errors from Asterisk are processed in the same way
as Bad REGISTERs. Pike in conjunction with IPSet/IPTables block affected
IPs.
4. Astersisk sees all registrations from Internet user as they are
directly behind Kamailio. Kamailio rewirtes headers twice: from Users to
Asterisk and from Asterisk to Users - this allows to hide topology from
users (they deal ONLY with Kamailio) and block non-static IPs on the
Asterisk's side.
Is this possible?
Kind regards,
Ellad Yatsko
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users