On Thursday 16 June 2011, Anto wrote:

After reading the modules pike, pipelimit, etc. I wanted to know what measures can be used in the proxy, because like me, there will be more people interested ;-).

We see that the module pike is a good security measure, but for users with many channels, we used the configuration of users with few channels (could we discriminate and make different rules for each?). If we have the proxy settings for normal users and have trunk configuration as well, I guess we also mark the traffic of the trunk to see it too aggressive about the user. As you might know if discriminate different types of users according to their traffic, one solution I can think of is to have different proxies for each user type (trunk, normal, etc).

Hi Anto,

having different systems is one solution, you could also just use internally in one server different traffic classes for the user sets you have.

Is there any way to implement something that detects unusual behavior on the user (referred to countries that do not ever called, excessive traffic, etc)?. I ask not to try to implement something that exists or perhaps someone can advise me how to do so because it is very likely not get it or do it wrong :-P . Continue to seek information and if I find something to contribute, send him to the list.

You should also look into the htable module for account/ password brute force detection. If you want to implement something w/r to the origination country of certain traffic, there is the geoip module which can provide you this informations, wich you could also combine with the modules already discussed.

Can you think of some way more secure proxy (mainly user accounts)? Do some basic safety tips to take into consideration? Any guidance? My advice to avoid trying to schedule something with 100 lines of code when I can do with 5 lines? Does this indicate that I intend to do not I make it :-P ?. What I said, I will try paper on the subject and if I can find information on something (though it may seem a bad code :-( ), which publishes. Thanks ;-)

With regards to user accounts, one thing you probably want to look at is password security and fraud or misuse detection logic. Smart attackers will find ways around your proactive measures, and you need to respond actively, like blocking users after you detected something malicious.

Best regards,

Henning

2011/6/16 Anto potxoka@gmail.com:

Is there any way to implement something that detects unusual behavior on the user (referred to countries that do not ever called, excessive traffic, etc)?.

This requirement is too complex to implement it in a generic module (IMHO). For example, if we are a Spanish telco operator and our clients are mostly Spanish, they usually call Spanish numbers. If one of them starts making lot of calls to Slovenia it could be an attack. But maybe we have a client that, in fact, makes lot of calls to Slovenia por any valid reason (businness model and so). So each client could require a different "security profile".

We are planning to build a system for this purpose. The idea is having a separate custom server (not a SIP server, or maybe) that collects clients calls and analyze them against a "security profiles backend" (a DB or whatever). When kamailio receives a call it would communicate with this server in some way and ask it "client XXXX wants to make a call tu NNNNNNN, should I allow it?". Then the custom server would apply internal logic and give a fast response (yes/no).

I think this is too complex and could make sense to build a separate/custom server for this purpose, and then, maybe create a custom Kamailio module for communicating Kamailio with the server (some communication protocol and so).