Hi all
Just working on some connections security filters on a Kamailio install. The security goes something like this;
In REQINT … if source_ip is not in customers IP white-list then just exit
This works fine for UDP where packets are just ignored if they don’t come from a trusted IP.
However on TCP this leads to the connection staying open until it either times out or the source disconnects. Which feels untidy.
Is there a way to say close the TCP connection from within the config script?
Thanks
Mark
Hello,
tcpops module offers a function to set the lifetime of a tcp connection, so you can set it to 1 second:
-https://www.kamailio.org/docs/modules/stable/modules/tcpops.html
Core offers a function to instruct closing the connection once a reply has been sent, but it seems you don't want to send anything back.
Cheers, Daniel
On 08.10.17 22:11, Mark Boyce wrote:
Hi all
Just working on some connections security filters on a Kamailio install. The security goes something like this;
In REQINT … if source_ip is not in customers IP white-list then just exit
This works fine for UDP where packets are just ignored if they don’t come from a trusted IP.
However on TCP this leads to the connection staying open until it either times out or the source disconnects. Which feels untidy.
Is there a way to say close the TCP connection from within the config script?
Thanks
Mark
Hi Daniel,
Thanks, I see tcpops lets us set the lifetime … although it’s not really the length of the lifetime that concerns me.
I guess I’m thinking more a SIP TCP Firewall type of system. If someone is scanning/ddos/etc I don’t think we should be sending a response at all, unless there’s something I’ve missed? We could just use fail2ban but that would mean spawning an executable or writing each attempt to logs.
Maybe I’m doing things the wrong way round but I can’t help feeling that letting kamailio see the attempts and log stats, sources, etc is more useful than an iptables drop?
Cheers, Mark
On 9 Oct 2017, at 10:51, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
tcpops module offers a function to set the lifetime of a tcp connection, so you can set it to 1 second:
-https://www.kamailio.org/docs/modules/stable/modules/tcpops.html
Core offers a function to instruct closing the connection once a reply has been sent, but it seems you don't want to send anything back.
Cheers, Daniel
On 08.10.17 22:11, Mark Boyce wrote:
Hi all
Just working on some connections security filters on a Kamailio install. The security goes something like this;
In REQINT … if source_ip is not in customers IP white-list then just exit
This works fine for UDP where packets are just ignored if they don’t come from a trusted IP.
However on TCP this leads to the connection staying open until it either times out or the source disconnects. Which feels untidy.
Is there a way to say close the TCP connection from within the config script?
Thanks
Mark
-- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - www.kamailioworld.com
Hello,
On 09.10.17 12:17, Mark Boyce wrote:
Hi Daniel,
Thanks, I see tcpops lets us set the lifetime … although it’s not really the length of the lifetime that concerns me.
I guess I’m thinking more a SIP TCP Firewall type of system. If someone is scanning/ddos/etc I don’t think we should be sending a response at all, unless there’s something I’ve missed?
usually is better not to send a response, especially when matching the attack first time, so it doesn't discover it is a sip server. If the attacker already knows, sometimes it helps to just send a 200 ok response, because that may make the scanning script stop, because it thinks it has discovered a good password.
We could just use fail2ban but that would mean spawning an executable or writing each attempt to logs.
That's an option used by many out there, a matter of preferences.
Maybe I’m doing things the wrong way round but I can’t help feeling that letting kamailio see the attempts and log stats, sources, etc is more useful than an iptables drop?
I typically do it with kamailio, as I am more familiar with.
Of course, there is always the option to add a function to close a tcp connection (as alternative to setting lifetime to 1 sec), but one has to go and code it, tcpops is a good place for such addition.
Cheers, Daniel
Cheers, Mark
On 9 Oct 2017, at 10:51, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
tcpops module offers a function to set the lifetime of a tcp connection, so you can set it to 1 second:
-https://www.kamailio.org/docs/modules/stable/modules/tcpops.html
Core offers a function to instruct closing the connection once a reply has been sent, but it seems you don't want to send anything back.
Cheers, Daniel
On 08.10.17 22:11, Mark Boyce wrote:
Hi all
Just working on some connections security filters on a Kamailio install. The security goes something like this;
In REQINT … if source_ip is not in customers IP white-list then just exit
This works fine for UDP where packets are just ignored if they don’t come from a trusted IP.
However on TCP this leads to the connection staying open until it either times out or the source disconnects. Which feels untidy.
Is there a way to say close the TCP connection from within the config script?
Thanks
Mark
-- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - www.kamailioworld.com
You can use dns name as SIP realm. Then you can silencly drop messages that contains IP address to From/To field
Example https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffi...
вт, 10 окт. 2017 г., 13:36 Daniel-Constantin Mierla miconda@gmail.com:
Hello,
On 09.10.17 12:17, Mark Boyce wrote:
Hi Daniel,
Thanks, I see tcpops lets us set the lifetime … although it’s not really
the length of the lifetime that concerns me.
I guess I’m thinking more a SIP TCP Firewall type of system. If someone
is scanning/ddos/etc I don’t think we should be sending a response at all, unless there’s something I’ve missed?
usually is better not to send a response, especially when matching the attack first time, so it doesn't discover it is a sip server. If the attacker already knows, sometimes it helps to just send a 200 ok response, because that may make the scanning script stop, because it thinks it has discovered a good password.
We could just use fail2ban but that would mean spawning an executable or
writing each attempt to logs.
That's an option used by many out there, a matter of preferences.
Maybe I’m doing things the wrong way round but I can’t help feeling that
letting kamailio see the attempts and log stats, sources, etc is more useful than an iptables drop?
I typically do it with kamailio, as I am more familiar with.
Of course, there is always the option to add a function to close a tcp connection (as alternative to setting lifetime to 1 sec), but one has to go and code it, tcpops is a good place for such addition.
Cheers, Daniel
Cheers, Mark
On 9 Oct 2017, at 10:51, Daniel-Constantin Mierla miconda@gmail.com
wrote:
Hello,
tcpops module offers a function to set the lifetime of a tcp connection, so you can set it to 1 second:
-https://www.kamailio.org/docs/modules/stable/modules/tcpops.html
Core offers a function to instruct closing the connection once a reply has been sent, but it seems you don't want to send anything back.
Cheers, Daniel
On 08.10.17 22:11, Mark Boyce wrote:
Hi all
Just working on some connections security filters on a Kamailio
install. The security goes something like this;
In REQINT … if source_ip is not in customers IP white-list then just
exit
This works fine for UDP where packets are just ignored if they don’t
come from a trusted IP.
However on TCP this leads to the connection staying open until it
either times out or the source disconnects. Which feels untidy.
Is there a way to say close the TCP connection from within the config
script?
Thanks
Mark
-- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - www.kamailioworld.com
-- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - www.kamailioworld.com
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Sergey
That’s almost exactly what I’m doing, apart from I’m not using drop, just exit. However it leaves the TCP connection hanging waiting to timeout before it’s closed. Which felt untidy and a waste of resources. It looks like this is the only option without coding a ‘exit-and-drop’ function.
Cheers Mark
On 11 Oct 2017, at 09:47, Sergey Safarov s.safarov@gmail.com wrote:
You can use dns name as SIP realm. Then you can silencly drop messages that contains IP address to From/To field
Example https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffi... https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffic-filter-role.cfg
вт, 10 окт. 2017 г., 13:36 Daniel-Constantin Mierla <miconda@gmail.com mailto:miconda@gmail.com>: Hello,
On 09.10.17 12:17, Mark Boyce wrote:
Hi Daniel,
Thanks, I see tcpops lets us set the lifetime … although it’s not really the length of the lifetime that concerns me.
I guess I’m thinking more a SIP TCP Firewall type of system. If someone is scanning/ddos/etc I don’t think we should be sending a response at all, unless there’s something I’ve missed?
usually is better not to send a response, especially when matching the attack first time, so it doesn't discover it is a sip server. If the attacker already knows, sometimes it helps to just send a 200 ok response, because that may make the scanning script stop, because it thinks it has discovered a good password.
We could just use fail2ban but that would mean spawning an executable or writing each attempt to logs.
That's an option used by many out there, a matter of preferences.
Maybe I’m doing things the wrong way round but I can’t help feeling that letting kamailio see the attempts and log stats, sources, etc is more useful than an iptables drop?
I typically do it with kamailio, as I am more familiar with.
Of course, there is always the option to add a function to close a tcp connection (as alternative to setting lifetime to 1 sec), but one has to go and code it, tcpops is a good place for such addition.
Cheers, Daniel
Cheers, Mark
On 9 Oct 2017, at 10:51, Daniel-Constantin Mierla <miconda@gmail.com mailto:miconda@gmail.com> wrote:
Hello,
tcpops module offers a function to set the lifetime of a tcp connection, so you can set it to 1 second:
-https://www.kamailio.org/docs/modules/stable/modules/tcpops.html https://www.kamailio.org/docs/modules/stable/modules/tcpops.html
Core offers a function to instruct closing the connection once a reply has been sent, but it seems you don't want to send anything back.
Cheers, Daniel
On 08.10.17 22:11, Mark Boyce wrote:
Hi all
Just working on some connections security filters on a Kamailio install. The security goes something like this;
In REQINT … if source_ip is not in customers IP white-list then just exit
This works fine for UDP where packets are just ignored if they don’t come from a trusted IP.
However on TCP this leads to the connection staying open until it either times out or the source disconnects. Which feels untidy.
Is there a way to say close the TCP connection from within the config script?
Thanks
Mark
-- Daniel-Constantin Mierla www.twitter.com/miconda http://www.twitter.com/miconda -- www.linkedin.com/in/miconda http://www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com http://www.asipto.com/ Kamailio World Conference - www.kamailioworld.com http://www.kamailioworld.com/
-- Daniel-Constantin Mierla www.twitter.com/miconda http://www.twitter.com/miconda -- www.linkedin.com/in/miconda http://www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com http://www.asipto.com/ Kamailio World Conference - www.kamailioworld.com http://www.kamailioworld.com/
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
Mark Boyce -
Sergey Safarov