[SR-Users] Forcing a TCP Connection Closed?

Wed Oct 11 23:37:16 CEST 2017

Hi Sergey

That’s almost exactly what I’m doing, apart from I’m not using drop, just exit.  However it leaves the TCP connection hanging waiting to timeout before it’s closed.  Which felt untidy and a waste of resources.  It looks like this is the only option without coding a ‘exit-and-drop’ function.

Cheers
Mark

> On 11 Oct 2017, at 09:47, Sergey Safarov <s.safarov at gmail.com> wrote:
> 
> You can use dns name as SIP realm.
> Then you can silencly drop messages that contains IP address to From/To field
> 
> Example https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffic-filter-role.cfg <https://github.com/2600hz/kazoo-configs-kamailio/blob/master/kamailio/traffic-filter-role.cfg>
> 
> 
> вт, 10 окт. 2017 г., 13:36 Daniel-Constantin Mierla <miconda at gmail.com <mailto:miconda at gmail.com>>:
> Hello,
> 
> 
> On 09.10.17 12:17, Mark Boyce wrote:
> > Hi Daniel,
> >
> > Thanks, I see tcpops lets us set the lifetime … although it’s not really the length of the lifetime that concerns me.
> >
> > I guess I’m thinking more a SIP TCP Firewall type of system.  If someone is scanning/ddos/etc I don’t think we should be sending a response at all, unless there’s something I’ve missed?
> 
> usually is better not to send a response, especially when matching the
> attack first time, so it doesn't discover it is a sip server. If the
> attacker already knows, sometimes it helps to just send a 200 ok
> response, because that may make the scanning script stop, because it
> thinks it has discovered a good password.
> 
> > We could just use fail2ban but that would mean spawning an executable or writing each attempt to logs.
> 
> That's an option used by many out there, a matter of preferences.
> >
> > Maybe I’m doing things the wrong way round but I can’t help feeling that letting kamailio see the attempts and log stats, sources, etc is more useful than an iptables drop?
> 
> I typically do it with kamailio, as I am more familiar with.
> 
> Of course, there is always the option to add a function to close a tcp
> connection (as alternative to setting lifetime to 1 sec), but one has to
> go and code it, tcpops is a good place for such addition.
> 
> Cheers,
> Daniel
> 
> > Cheers,
> > Mark
> >
> >
> >> On 9 Oct 2017, at 10:51, Daniel-Constantin Mierla <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
> >>
> >> Hello,
> >>
> >> tcpops module offers a function to set the lifetime of a tcp connection,
> >> so you can set it to 1 second:
> >>
> >>   -https://www.kamailio.org/docs/modules/stable/modules/tcpops.html <https://www.kamailio.org/docs/modules/stable/modules/tcpops.html>
> >>
> >> Core offers a function to instruct closing the connection once a reply
> >> has been sent, but it seems you don't want to send anything back.
> >>
> >> Cheers,
> >> Daniel
> >>
> >>
> >> On 08.10.17 22:11, Mark Boyce wrote:
> >>> Hi all
> >>>
> >>> Just working on some connections security filters on a Kamailio install.   The security goes something like this;
> >>>
> >>> In REQINT … if source_ip  is not in customers IP white-list then just exit
> >>>
> >>> This works fine for UDP where packets are just ignored if they don’t come from a trusted IP.
> >>>
> >>> However on TCP this leads to the connection staying open until it either times out or the source disconnects.   Which feels untidy.
> >>>
> >>> Is there a way to say close the TCP connection from within the config script?
> >>>
> >>> Thanks
> >>>
> >>> Mark
> >> --
> >> Daniel-Constantin Mierla
> >> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> >> Kamailio Advanced Training - www.asipto.com <http://www.asipto.com/>
> >> Kamailio World Conference - www.kamailioworld.com <http://www.kamailioworld.com/>
> >>
> 
> --
> Daniel-Constantin Mierla
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Kamailio Advanced Training - www.asipto.com <http://www.asipto.com/>
> Kamailio World Conference - www.kamailioworld.com <http://www.kamailioworld.com/>
> 
> 
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171011/b40a70bc/attachment.html>