<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Sergey<div class=""><br class=""></div><div class="">That’s almost exactly what I’m doing, apart from I’m not using drop, just exit. However it leaves the TCP connection hanging waiting to timeout before it’s closed. Which felt untidy and a waste of resources. It looks like this is the only option without coding a ‘exit-and-drop’ function.</div><div class=""><br class=""></div><div class="">Cheers</div><div class="">Mark</div><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On 11 Oct 2017, at 09:47, Sergey Safarov <<a href="mailto:s.safarov@gmail.com" class="">s.safarov@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><p dir="ltr" class="">You can use dns name as SIP realm.<br class="">
Then you can silencly drop messages that contains IP address to From/To field</p><p class="">Example <a href="https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffic-filter-role.cfg" class="">https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffic-filter-role.cfg</a></p><p class=""><br class=""></p>
<br class=""><div class="gmail_quote"><div dir="ltr" class="">вт, 10 окт. 2017 г., 13:36 Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" target="_blank" class="">miconda@gmail.com</a>>:<br class=""></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br class="">
<br class="">
<br class="">
On 09.10.17 12:17, Mark Boyce wrote:<br class="">
> Hi Daniel,<br class="">
><br class="">
> Thanks, I see tcpops lets us set the lifetime … although it’s not really the length of the lifetime that concerns me.<br class="">
><br class="">
> I guess I’m thinking more a SIP TCP Firewall type of system. If someone is scanning/ddos/etc I don’t think we should be sending a response at all, unless there’s something I’ve missed?<br class="">
<br class="">
usually is better not to send a response, especially when matching the<br class="">
attack first time, so it doesn't discover it is a sip server. If the<br class="">
attacker already knows, sometimes it helps to just send a 200 ok<br class="">
response, because that may make the scanning script stop, because it<br class="">
thinks it has discovered a good password.<br class="">
<br class="">
> We could just use fail2ban but that would mean spawning an executable or writing each attempt to logs.<br class="">
<br class="">
That's an option used by many out there, a matter of preferences.<br class="">
><br class="">
> Maybe I’m doing things the wrong way round but I can’t help feeling that letting kamailio see the attempts and log stats, sources, etc is more useful than an iptables drop?<br class="">
<br class="">
I typically do it with kamailio, as I am more familiar with.<br class="">
<br class="">
Of course, there is always the option to add a function to close a tcp<br class="">
connection (as alternative to setting lifetime to 1 sec), but one has to<br class="">
go and code it, tcpops is a good place for such addition.<br class="">
<br class="">
Cheers,<br class="">
Daniel<br class="">
<br class="">
> Cheers,<br class="">
> Mark<br class="">
><br class="">
><br class="">
>> On 9 Oct 2017, at 10:51, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" target="_blank" class="">miconda@gmail.com</a>> wrote:<br class="">
>><br class="">
>> Hello,<br class="">
>><br class="">
>> tcpops module offers a function to set the lifetime of a tcp connection,<br class="">
>> so you can set it to 1 second:<br class="">
>><br class="">
>> -<a href="https://www.kamailio.org/docs/modules/stable/modules/tcpops.html" rel="noreferrer" target="_blank" class="">https://www.kamailio.org/docs/modules/stable/modules/tcpops.html</a><br class="">
>><br class="">
>> Core offers a function to instruct closing the connection once a reply<br class="">
>> has been sent, but it seems you don't want to send anything back.<br class="">
>><br class="">
>> Cheers,<br class="">
>> Daniel<br class="">
>><br class="">
>><br class="">
>> On 08.10.17 22:11, Mark Boyce wrote:<br class="">
>>> Hi all<br class="">
>>><br class="">
>>> Just working on some connections security filters on a Kamailio install. The security goes something like this;<br class="">
>>><br class="">
>>> In REQINT … if source_ip is not in customers IP white-list then just exit<br class="">
>>><br class="">
>>> This works fine for UDP where packets are just ignored if they don’t come from a trusted IP.<br class="">
>>><br class="">
>>> However on TCP this leads to the connection staying open until it either times out or the source disconnects. Which feels untidy.<br class="">
>>><br class="">
>>> Is there a way to say close the TCP connection from within the config script?<br class="">
>>><br class="">
>>> Thanks<br class="">
>>><br class="">
>>> Mark<br class="">
>> --<br class="">
>> Daniel-Constantin Mierla<br class="">
>> <a href="http://www.twitter.com/miconda" rel="noreferrer" target="_blank" class="">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" rel="noreferrer" target="_blank" class="">www.linkedin.com/in/miconda</a><br class="">
>> Kamailio Advanced Training - <a href="http://www.asipto.com/" rel="noreferrer" target="_blank" class="">www.asipto.com</a><br class="">
>> Kamailio World Conference - <a href="http://www.kamailioworld.com/" rel="noreferrer" target="_blank" class="">www.kamailioworld.com</a><br class="">
>><br class="">
<br class="">
--<br class="">
Daniel-Constantin Mierla<br class="">
<a href="http://www.twitter.com/miconda" rel="noreferrer" target="_blank" class="">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" rel="noreferrer" target="_blank" class="">www.linkedin.com/in/miconda</a><br class="">
Kamailio Advanced Training - <a href="http://www.asipto.com/" rel="noreferrer" target="_blank" class="">www.asipto.com</a><br class="">
Kamailio World Conference - <a href="http://www.kamailioworld.com/" rel="noreferrer" target="_blank" class="">www.kamailioworld.com</a><br class="">
<br class="">
<br class="">
_______________________________________________<br class="">
Kamailio (SER) - Users Mailing List<br class="">
<a href="mailto:sr-users@lists.kamailio.org" target="_blank" class="">sr-users@lists.kamailio.org</a><br class="">
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank" class="">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br class="">
</blockquote></div></div>
</div></blockquote></div><br class=""><div class="">
<div class=""><div style="orphans: 2; widows: 2;" class=""><br class=""></div></div></div></div></body></html>