We have noticed pesky SIP hackers already knocking on our POC servers. Kam is holding the fort by sending out the proverbial 401/407 (snore). I can SQLOPS to do a dip to check destination domain or Source IP and nix the snore for alien requests, but wanted to know if there was a native way to keep silent when we have a request from foes. KD
How would you define "foes" in a programmatic sense? :) That will dictate the answer.
-- Alex
-- Sent via mobile, please forgive typos and brevity.
easy. Not one of my domains or source IPs. Unless hackers is ex user they would never know my list. KD On Wednesday, May 9, 2018, 4:53:21 PM EDT, Alex Balashov abalashov@evaristesys.com wrote:
How would you define "foes" in a programmatic sense? :) That will dictate the answer.
-- Alex
-- Sent via mobile, please forgive typos and brevity.
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
There are a lot of options here.
For source IPs and subnets, the `permissions` module probably works best:
https://kamailio.org/docs/modules/5.1.x/modules/permissions.html
While it can function in a mode where it bangs on your database for every request, it also supports a caching mode (db_mode 1):
https://kamailio.org/docs/modules/5.1.x/modules/permissions.html#permissions...
In caching mode, it loads the ACL from the database once on startup and keeps it in memory. If you have made alterations to the database table and want to kick Kamailio to reload it, there are management/RPC commands for that[2]:
https://kamailio.org/docs/modules/5.1.x/modules/permissions.html#permissions... https://kamailio.org/docs/modules/5.1.x/modules/permissions.html#permissions...
Note that in a lot of scenarios, use of the permissions module isn't truly necessary because some other module provides a de facto ACL. For example, if you are using the dispatcher[1] module to front-end a group of servers for round-robin type load balancing, making routing decisions based on whether the origin is within the dispatcher server pool seems only natural[2]:
if(ds_is_from_list("1")) { # Allow from own application server farm. }
For filtering out nonlocal URI domains, the `domain` module presents a natural fit. It works much as `permissions` does in terms of in-memory caching and that:
https://kamailio.org/docs/modules/5.1.x/modules/domain.html
And if you should find that these modules' data model doesn't schematically meet your needs, you can always seed your own `htable` values from a DB-backed hash table:
https://kamailio.org/docs/modules/5.1.x/modules/htable.html#htable.p.db_url
Or fetch these values from somewhere else (e.g. HTTP API) and inject them into an htable upon startup:
https://kamailio.org/docs/modules/5.1.x/modules/htable.html#idp49461924
Lots of options...
-- Alex
[1] https://kamailio.org/docs/modules/5.1.x/modules/dispatcher.html
[2] https://kamailio.org/docs/modules/5.1.x/modules/dispatcher.html#dispatcher.f...
On Wed, May 09, 2018 at 09:04:16PM +0000, KamDev Essa wrote:
easy. Not one of my domains or source IPs. Unless hackers is ex user they would never know my list. KD On Wednesday, May 9, 2018, 4:53:21 PM EDT, Alex Balashov abalashov@evaristesys.com wrote:
How would you define "foes" in a programmatic sense? :) That will dictate the answer.
-- Alex
-- Sent via mobile, please forgive typos and brevity.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Awesome note. How does one fire the RPC command. Whats the interface? Any docs on that? KD On Wednesday, May 9, 2018, 10:06:35 PM EDT, Alex Balashov abalashov@evaristesys.com wrote:
There are a lot of options here.
For source IPs and subnets, the `permissions` module probably works best:
https://kamailio.org/docs/modules/5.1.x/modules/permissions.html
While it can function in a mode where it bangs on your database for every request, it also supports a caching mode (db_mode 1):
https://kamailio.org/docs/modules/5.1.x/modules/permissions.html#permissions...
In caching mode, it loads the ACL from the database once on startup and keeps it in memory. If you have made alterations to the database table and want to kick Kamailio to reload it, there are management/RPC commands for that[2]:
https://kamailio.org/docs/modules/5.1.x/modules/permissions.html#permissions... https://kamailio.org/docs/modules/5.1.x/modules/permissions.html#permissions...
Note that in a lot of scenarios, use of the permissions module isn't truly necessary because some other module provides a de facto ACL. For example, if you are using the dispatcher[1] module to front-end a group of servers for round-robin type load balancing, making routing decisions based on whether the origin is within the dispatcher server pool seems only natural[2]:
if(ds_is_from_list("1")) { # Allow from own application server farm. }
For filtering out nonlocal URI domains, the `domain` module presents a natural fit. It works much as `permissions` does in terms of in-memory caching and that:
https://kamailio.org/docs/modules/5.1.x/modules/domain.html
And if you should find that these modules' data model doesn't schematically meet your needs, you can always seed your own `htable` values from a DB-backed hash table:
https://kamailio.org/docs/modules/5.1.x/modules/htable.html#htable.p.db_url
Or fetch these values from somewhere else (e.g. HTTP API) and inject them into an htable upon startup:
https://kamailio.org/docs/modules/5.1.x/modules/htable.html#idp49461924
Lots of options...
-- Alex
[1] https://kamailio.org/docs/modules/5.1.x/modules/dispatcher.html
[2] https://kamailio.org/docs/modules/5.1.x/modules/dispatcher.html#dispatcher.f...
On Wed, May 09, 2018 at 09:04:16PM +0000, KamDev Essa wrote:
easy. Not one of my domains or source IPs. Unless hackers is ex user they would never know my list. KD On Wednesday, May 9, 2018, 4:53:21 PM EDT, Alex Balashov abalashov@evaristesys.com wrote: How would you define "foes" in a programmatic sense? :) That will dictate the answer.
-- Alex
-- Sent via mobile, please forgive typos and brevity.
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
What you want there is the 'ctl' module and the 'kamcmd' utility that comes with Kamailio.
# kamcmd ls
Gets a list of available RPC commands from all loaded modules + core.
Beware that if you put the ctl socket in a nonstandard place, you'll need to specify the path via the '-s' option to kamcmd.
-- Alex
-- Sent via mobile, please forgive typos and brevity.
On Wed, May 09, 2018 at 04:52:27PM -0400, Alex Balashov wrote:
How would you define "foes" in a programmatic sense? :) That will dictate the answer.
A serious answer would be honeypots with the only function to populate blacklists (either for the permissions module or firewall rules). Just make sure there ins't an obvious relation between your production machines and honeypots if you use UDP traffic without challenge/reponse answers to blacklist :)
-
Alex Balashov -
Daniel Tryba -
KamDev Essa