Kamailio SIP Server Wiki

User Tools

Site Tools

Trace:
tutorials:security:kamailio-security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
Next revision Both sides next revision
tutorials:security:kamailio-security [2014/01/28 15:24]
davy.van.de.moere_gmail.com created 		tutorials:security:kamailio-security [2014/01/29 12:01]
davy.van.de.moere_gmail.com [Accept their traffic]
Line 7: Line 7:
 </code> </code>
  
-list of config snippets you can use in Kamailio to have more fun with Hackers!+Being responsible for VoIP infrastructure means you will have to co-exist with Hackers. This page is an attempt to list (all) config snippets you can use in Kamailio to have more fun and success in your eternal battle!
  
 ===== Security by Obscurity ===== ===== Security by Obscurity =====
Line 102: Line 102:
 </code> </code>
  
 +Or you can just tell Kamailio to not put a server header:
 +
 +<code>
 +server_signature=no
 +</code>
 +
 +In the same category you have the sip_warning parameter, which is by default enabled. This setting exposes a lot of information about your infrastructure. In production it is advisable to just disable:
 +
 +<code>
 +sip_warning=0
 +</code>
 ===== Anti-Flood ===== ===== Anti-Flood =====
  
 +The moment you put a machine on the Internet, it will be scanned. And it won't take long until a <i>Friendly-Scanner</i> floods your machine.
 +
 +Three types of attacks are to be recognized:
 +
 +1/ bruteforcing username/password: 
 +
 +Your Kamailio setup can process thousands of SIP packets per second, and at those rates it is worthwhile for attackers to guess credentials which allow them to call out. When users are allowed to create their own passwords, there will be weak passwords.
 +
 +2/ bruteforcing prefixes:
 +
 +A typical configuration error is to take shortcuts in your config. In SS7 a typical method to arrange routing, is by adding prefixes to URI's. Attackers know this, and attempt to guess prefixes which behave differently.
 +
 +3/ Denial of Service:
 +
 +Whenever you have a packet arriving on your Kamailio machine, it will require a bit of time of your CPU. For some packets there is additional processing done, e.g. whenever credentials are checked you can have a query being executed. 
 +
 +When debugging your setup, it can be very annoying when you see thousands of packets passing over your screen. (stealing content from [[http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack|asipto]])
 +
 +==== Pike ====
 +
 +The pike module tracks the number of SIP messages per source IP address, per period. Pike is a very easy to add to your config:
 +
 +<code>
 +loadmodule "pike.so"
 + 
 +...
 + 
 +# ----- pike params -----
 +modparam("pike", "sampling_time_unit", 2)
 +modparam("pike", "reqs_density_per_unit", 20)
 +modparam("pike", "remove_latency", 4)
 + 
 +...
 + 
 +route {
 +  if (!pike_check_req()) {
 +    xlog("L_ALERT","ALERT: pike block $rm from $fu (IP:$si:$sp)\n");
 +    exit;
 +  }
 +  ...
 +}
 +</code>
 +
 +In recent sample configs you can just enable #!define WITH_ANTIFLOOD in your config to have this done. 
 +
 +==== Banning for a period of time ====
 +
 +You can add htable module with a special hash table that can store the list of banned IPs and forbid traffic from it for a period of time. Here is an example blocking the IP 5 minutes (autoexpires value in seconds for htable definition):
 +
 +<code>
 +loadmodule "htable.so"
 +...
 +modparam("htable", "htable", "ipban=>size=8;autoexpire=300;")
 + 
 +...
 + 
 +route {
 +  if($sht(ipban=>$si)!=$null)
 +  {
 +     # ip is already blocked - keep the node warm
 +     pike_check_req();
 +     xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)\n");
 +     exit;
 +  }
 +  if (!pike_check_req()) {
 +     $sht(ipban=>$si) = 1;
 +     xlog("L_ALERT","ALERT: pike block $rm from $fu (IP:$si:$sp)\n");
 +     exit;
 +  }
 +...
 +}
 +</code>
 +
 +So, even if the attacker lowers the rate, it is still banned for 5 minutes. This approach has the benefit of printing the PIKE alert every 5 minutes, being easier to sport in syslog file the IP addresses that persist in flooding. By configuration, htable module will delete the entry automatically after 300sec.
 +
 +Also, you can print the list of banned IP addresses using Siremis (via MI Commands panel) or kamctl:
 +
 +kamctl fifo sht_dump ipban
  
  
 ==== Fail2Ban ==== ==== Fail2Ban ====
  
 +Fail2ban can scan syslog files for specific messages based on regular expressions and act upon matching by banning IP addresses.
  
 +Therefore you can print such message to syslog using xlog(). Fail2ban will match it and ban the traffic coming from the IP address you mention in the message.
 +
 +Create /etc/fail2ban/filter.d/kamailio.conf with following content:
 +
 +<code>
 +[Definition]
 +# filter for kamailio messages
 +failregex = Blocking traffic from <HOST>
 +</code>
 +
 +Edit /etc/fail2ban/jail.conf and add:
 +
 +<code>
 +findtime  = 600
 +
 +[kamailio-iptables]
 +enabled  = true
 +filter   = kamailio
 +action   = iptables-allports[name=KAMAILIO, protocol=all]
 +logpath  = /var/log/kamailio.log # update it with your kamailio log path
 +maxretry = 10
 +bantime  = 1800
 +</code>
 +
 +In Kamailio configuration, use next line whenever you want to ban an IP for half an hour:
 +
 +<code>
 +xlog("Blocking traffic from $si\n");
 +</code>
 +
 +Note: $si is a config file variable that expands at runtime to source IP address. In the syslog you will get messages like:
 +
 +... Blocking traffic from 1.2.3.4
 +For example, plugging it in the above Kamailio snippets:
 +
 +<code>
 +...
 + $var(exp) = $Ts - 900;
 +        if($sht(a=>$au::last_auth) > $var(exp))
 +        {
 +            sl_send_reply("403", "Try later");
 +            xlog("Blocking traffic from $si\n");
 +            exit;
 +        } else {
 +            $sht(a=>$au::auth_count) = 0;
 +        }
 +...
 +</code>
 +
 +Now, with this logic, if a user fails to authenticate 3 times in a row during 15 minutes, then the IP address of last registration attempt is blocked in firewall for half an hour by fail2ban.
 +
 +You can do something similar for pike alerts.
 +
 +===== Active detection and monitoring =====
 +
 +==== Accept their traffic ====
 +
 +Give them false positives. Even if the above techniques quickly block off every scanning attempt, and even have iptables firewall them away from your Kamailio, when you have a tshark or ngrep running, their futile attempts are just really really annoying.
 +
 +Hence, one of the things I personally like doing is instead of blocking them off after the 3 wrong authentication errors, is just having all their traffic forwarded to a different kamailio, which is setup to just accept whatever they are sending. A fun variation is, I have a phone (a good old Snom360) on my desk which receives all the Invites coming to my honeypot kamailio. 
 +
 +The end result is, the automated scanners will get false positives and will typically stop. And even more fun, typically the attackers will manually check if the route they have found actually work, so they will actually call you, and then you can have a fun conversation with them :-p
 +
 +==== Detect and block malicious attempts ====
 +
 +The Homer project has a few methods to detect common attacks. It makes sense to add this to you config, as these attacks should just not be given any attention.
 +
 +Config is based on the [[https://code.google.com/p/homer/source/browse/configs/kamailio.cfg?r=e10bad0893cb56dc8f63c52947601e4c9981d254|work of the Homer team]]
 +
 +<code>
 +#!define WITH_HOMER_SECURITY_CHECKS
 +
 +...
 +
 +route[HOMER_SECURITY_CHECKS] {
 +#!ifdef WITH_HOMER_SECURITY_CHECKS
 +  if (is_method("INVITE|REGISTER")) {
 +
 +                if($ua =~ "(friendly-scanner|sipvicious)") {
 +                   xlog("L_INFO","On more scriptkiddie, coming from $si, blocking");
 +                   exit;
 +                }
 +
 +                #hostname in contact
 +                if($sel(contact.uri.host) =~ "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$") {
 +                   xlog("L_INFO","Someone coming form $si using IP addressess instead of DNS ? blocking");
 +                   exit;
 +                }
 +
 +
 +                if($au =~ "(\=)|(\-\-)|(')|(\#)|(\%27)|(\%24)" and $au != $null) {
 +                   xlog("L_INFO","Someone from $si is doing an sql injection attack, blocking!");
 +                   exit;
 +                }
 +
 +                if($(hdr(Record-Route)[0]{nameaddr.uri}) != $si and $(hdr(Record-Route)[0]{nameaddr.uri}) != $null) {
 +                   xlog("L_INFO","Spoofing attack detected from $si, blocking");
 +                   exit;
 +                }
 +  }
 +#!endif
 +}
 +</code>
tutorials/security/kamailio-security.txt ยท Last modified: 2019/05/23 12:42 by pepelux

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki