Hi Sergey

That’s almost exactly what I’m doing, apart from I’m not using drop, just exit.  However it leaves the TCP connection hanging waiting to timeout before it’s closed.  Which felt untidy and a waste of resources.  It looks like this is the only option without coding a ‘exit-and-drop’ function.

Cheers
Mark

On 11 Oct 2017, at 09:47, Sergey Safarov <s.safarov@gmail.com> wrote:

You can use dns name as SIP realm.
Then you can silencly drop messages that contains IP address to From/To field

Example https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffic-filter-role.cfg



вт, 10 окт. 2017 г., 13:36 Daniel-Constantin Mierla <miconda@gmail.com>:
Hello,


On 09.10.17 12:17, Mark Boyce wrote:
> Hi Daniel,
>
> Thanks, I see tcpops lets us set the lifetime … although it’s not really the length of the lifetime that concerns me.
>
> I guess I’m thinking more a SIP TCP Firewall type of system.  If someone is scanning/ddos/etc I don’t think we should be sending a response at all, unless there’s something I’ve missed?

usually is better not to send a response, especially when matching the
attack first time, so it doesn't discover it is a sip server. If the
attacker already knows, sometimes it helps to just send a 200 ok
response, because that may make the scanning script stop, because it
thinks it has discovered a good password.

> We could just use fail2ban but that would mean spawning an executable or writing each attempt to logs.

That's an option used by many out there, a matter of preferences.
>
> Maybe I’m doing things the wrong way round but I can’t help feeling that letting kamailio see the attempts and log stats, sources, etc is more useful than an iptables drop?

I typically do it with kamailio, as I am more familiar with.

Of course, there is always the option to add a function to close a tcp
connection (as alternative to setting lifetime to 1 sec), but one has to
go and code it, tcpops is a good place for such addition.

Cheers,
Daniel

> Cheers,
> Mark
>
>
>> On 9 Oct 2017, at 10:51, Daniel-Constantin Mierla <miconda@gmail.com> wrote:
>>
>> Hello,
>>
>> tcpops module offers a function to set the lifetime of a tcp connection,
>> so you can set it to 1 second:
>>
>>   -https://www.kamailio.org/docs/modules/stable/modules/tcpops.html
>>
>> Core offers a function to instruct closing the connection once a reply
>> has been sent, but it seems you don't want to send anything back.
>>
>> Cheers,
>> Daniel
>>
>>
>> On 08.10.17 22:11, Mark Boyce wrote:
>>> Hi all
>>>
>>> Just working on some connections security filters on a Kamailio install.   The security goes something like this;
>>>
>>> In REQINT … if source_ip  is not in customers IP white-list then just exit
>>>
>>> This works fine for UDP where packets are just ignored if they don’t come from a trusted IP.
>>>
>>> However on TCP this leads to the connection staying open until it either times out or the source disconnects.   Which feels untidy.
>>>
>>> Is there a way to say close the TCP connection from within the config script?
>>>
>>> Thanks
>>>
>>> Mark
>> --
>> Daniel-Constantin Mierla
>> www.twitter.com/miconda -- www.linkedin.com/in/miconda
>> Kamailio Advanced Training - www.asipto.com
>> Kamailio World Conference - www.kamailioworld.com
>>

--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - www.kamailioworld.com


_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users