This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorials:security:kamailio-security [2014/01/28 16:43] davy.van.de.moere_gmail.com |
tutorials:security:kamailio-security [2014/01/29 11:41] davy.van.de.moere_gmail.com [Overview of Security related config snippets] |
||
---|---|---|---|
Line 7: | Line 7: | ||
</ | </ | ||
- | A list of config snippets you can use in Kamailio to have more fun with Hackers! | + | Being responsible for VoIP infrastructure means you will have to co-exist with Hackers. This page is an attempt to list (all) config snippets you can use in Kamailio to have more fun and success in your eternal battle! |
===== Security by Obscurity ===== | ===== Security by Obscurity ===== | ||
Line 192: | Line 192: | ||
==== Fail2Ban ==== | ==== Fail2Ban ==== | ||
+ | Fail2ban can scan syslog files for specific messages based on regular expressions and act upon matching by banning IP addresses. | ||
+ | Therefore you can print such message to syslog using xlog(). Fail2ban will match it and ban the traffic coming from the IP address you mention in the message. | ||
+ | |||
+ | Create / | ||
+ | |||
+ | < | ||
+ | [Definition] | ||
+ | # filter for kamailio messages | ||
+ | failregex = Blocking traffic from < | ||
+ | </ | ||
+ | |||
+ | Edit / | ||
+ | |||
+ | < | ||
+ | findtime | ||
+ | |||
+ | [kamailio-iptables] | ||
+ | enabled | ||
+ | filter | ||
+ | action | ||
+ | logpath | ||
+ | maxretry = 10 | ||
+ | bantime | ||
+ | </ | ||
+ | |||
+ | In Kamailio configuration, | ||
+ | |||
+ | < | ||
+ | xlog(" | ||
+ | </ | ||
+ | |||
+ | Note: $si is a config file variable that expands at runtime to source IP address. In the syslog you will get messages like: | ||
+ | |||
+ | ... Blocking traffic from 1.2.3.4 | ||
+ | For example, plugging it in the above Kamailio snippets: | ||
+ | |||
+ | < | ||
+ | ... | ||
+ | $var(exp) = $Ts - 900; | ||
+ | if($sht(a=> | ||
+ | { | ||
+ | sl_send_reply(" | ||
+ | xlog(" | ||
+ | exit; | ||
+ | } else { | ||
+ | $sht(a=> | ||
+ | } | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | Now, with this logic, if a user fails to authenticate 3 times in a row during 15 minutes, then the IP address of last registration attempt is blocked in firewall for half an hour by fail2ban. | ||
+ | |||
+ | You can do something similar for pike alerts. | ||
+ | |||
+ | ==== Accept their traffic ==== | ||
+ | |||
+ | Give them false positives. |