[OpenSIPS-Users] How to protect OpenSIPS from undesidered requests (DoS attack?)

Muhammad Shahzad shaheryarkh at gmail.com
Wed Mar 6 20:31:14 CET 2013


A few suggestions (mostly already suggested by many guys in this thread, i
am only arranging their order to a secure setup), opensips log level should
be at least 2.

1. I usually filter out all known nasty users / attackers right in sanity
check section of default request route. My sanity check section structured
something like this,

    a). check max forwards.
    b). check message size.
    c). check user-agent string against filter list, you can use
permissions module for this as well as hard code user-agents as Nick
suggested.

############################################
route {
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
 exit;
};

if (msg:len > max_len) {
 sl_send_reply("513","Message Too Big");
exit;
};

if ($ua =~ "friendly-scanner") {
xlog("L_WARN", "[$pr:$fU@$si:$sp]: Rejecting '$rm' request from bogus
device '$ua' \n");
 exit;
};
...
#####################################


2. Then in authentication section, i make sure to authenticate both INVITE
and REGISTER requests, you check ret-code for both www-authorize and
proxy-authorize methods and if it is -1 or -2 then do xlog to print log on
intruder which is picked by fail2ban to block the user (make sure text
pattern in your xlog matches failregex in fail2ban! ).

#####################################
...
if (!www_authorize("","subscriber")) {
switch ($retcode) {
 case -1:
xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si', peer
not found - User-Agent: '$ua' \n");
 break;
case -2:
xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si', wrong
password - User-Agent: '$ua' \n");
 break;
                                ...
};

 www_challenge("", "1");
exit;
};
...
#######################################

Thank you.


On Wed, Mar 6, 2013 at 7:58 PM, leo <uzcudunl at yahoo.it> wrote:

> Hello Bakko:
>
> I've it configured as you but i'm still not having events in opensips.log
> file like "Auth error for $fU@$fd from $si cause" for packets:
>
> 19:52:41.100695 00:08:e3:20:fb:b6 > 00:0c:29:fc:95:e1, ethertype IPv4
> (0x0800), length 384: (tos 0x0, ttl 52, id 0, offset 0, flags [DF], proto
> UDP (17), length 370)
>     199.217.115.214.5981 > [my SIP Server].5060: [udp sum ok] SIP, length:
> 342
>     REGISTER sip:[my SIP Server] SIP/2.0
>     Via: SIP/2.0/UDP 199.217.115.214:5981;branch=z9hG4bK-2068012690;rport
>     Content-Length: 0
>     From: "5988" <sip:5988@[my SIP Server]>
>     Accept: application/sdp
>     User-Agent: friendly-scanner
>     To: "5988" <sip:5988@[my SIP Server]>
>
>     Contact: sip:123 at 1.1.1.1
>     CSeq: 1 REGISTER
>     Call-ID: 1787915151
>     Max-Forwards: 70
>
>
> I've also added Nick's suggestion:
>
> if ($ua =~ "friendly-scanner") {
>                 xlog("L_ERR", "Attack attempt - Request dropped");
>                 drop();
>         }
>
> But i don't have neither those events in the opensips.log file.
>
> Any clue?
> Thanks,
> Leo
>
>   ------------------------------
> *Da:* bakko [via OpenSIPS (Open SIP Server)] <[hidden email]<http://user/SendEmail.jtp?type=node&node=7585123&i=0>
> >
> *A:* leo <[hidden email]<http://user/SendEmail.jtp?type=node&node=7585123&i=1>>
>
> *Inviato:* Mercoledì 6 Marzo 2013 11:49
> *Oggetto:* Re: How to protect OpenSIPS from undesidered requests (DoS
> attack?)
>
> Hello,
>
> I'm using this configuration:
>
> if (is_method("REGISTER")) {
>          $var(auth_code) = www_authorize("", "subscriber");
>          if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) {
>                  xlog("L_NOTICE","Auth error for $fU@$fd from $si cause
> $var(auth_code)");
>          }
>          if ( $var(auth_code) < 0 ) {
>                  www_challenge("", "0");
>                  exit;
>          }
>          save("location");
>          exit;
>
> on
>
> /etc/fail2ban/filter.d/opensips.conf
>
> # Fail2Ban configuration file
> #
> #
> # $Revision: 250 $
> #
>
> [INCLUDES]
>
> # Read common prefixes. If any customizations available -- read them from
> # common.local
> #before = common.conf
>
>
> [Definition]
>
> #_daemon = opensips
>
> # Option:  failregex
> # Notes.:  regex to match the password failures messages in the logfile.
> The
> #          host must be matched by a group named "host". The tag
> "<HOST>" can
> #          be used for standard IP/hostname matching and is only an
> alias for
> #          (?:::f{4,6}:)?(?P<host>\S+)
> # Values:  TEXT
> #
>
> failregex = Auth error for .* from <HOST> cause -[0-9]
>
> # Option:  ignoreregex
> # Notes.:  regex to ignore. If this regex matches, the line is ignored.
> # Values:  TEXT
> #
> ignoreregex =
>
> and on /etc/fail2ban/jail.conf
>
> [opensips]
> enabled  = true
> filter   = opensips
> action   = iptables-allports[name=opensips, protocol=all]
>             sendmail-whois[name=opensips, dest=[hidden email],
> sender=[hidden email]]
> logpath  = /var/log/opensips.log
> maxretry = 3
> bantime = 7200
>
>
> Regards
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> ------------------------------
>  If you reply to this email, your message will be added to the discussion
> below:
>
> http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585097.html
>  To unsubscribe from How to protect OpenSIPS from undesidered requests
> (DoS attack?), click here.
> NAML<http://opensips-open-sip-server.1449251.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
>
>
> ------------------------------
> View this message in context: Re: How to protect OpenSIPS from
> undesidered requests (DoS attack?)<http://opensips-open-sip-server.1449251.n2.nabble.com/How-to-protect-OpenSIPS-from-undesidered-requests-DoS-attack-tp7585091p7585123.html>
>
> Sent from the OpenSIPS - Users mailing list archive<http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html>at Nabble.com.
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>


-- 
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: shari_786pk at hotmail.com
Email: shaheryarkh at googlemail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20130306/0aea09b1/attachment.htm>


More information about the Users mailing list