Monthly Archive for July, 2015

OpenSIPS: protecting from undesired requests

Original: http://lists.opensips.org/pipermail/users/2013-March/024887.html

A few suggestions (mostly already suggested by many guys in this thread, i
am only arranging their order to a secure setup), opensips log level should
be at least 2.

1. I usually filter out all known nasty users / attackers right in sanity
check section of default request route. My sanity check section structured
something like this,

a). check max forwards.
b). check message size.
c). check user-agent string against filter list, you can use
permissions module for this as well as hard code user-agents as Nick
suggested.

############################################
route {
if (!mf_process_maxfwd_header("10")) {
     sl_send_reply("483","Too Many Hops");
     exit;
};

if (msg:len > max_len) {
     sl_send_reply("513","Message Too Big");
     exit;
};

if ($ua =~ "friendly-scanner") {
     xlog("L_WARN", "[$pr:$fU@$si:$sp]: Rejecting '$rm' request from bogus device '$ua' \n");
     exit;
};
...
#####################################

2. Then in authentication section, i make sure to authenticate both INVITE
and REGISTER requests, you check ret-code for both www-authorize and
proxy-authorize methods and if it is -1 or -2 then do xlog to print log on
intruder which is picked by fail2ban to block the user (make sure text
pattern in your xlog matches failregex in fail2ban! ).

Negative code meanings: http://www.opensips.org/html/docs/modules/2.1.x/auth_db.html#id293676

#####################################
...
if (!www_authorize("","subscriber")) {

     switch ($retcode) {
     case -1:
          xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si',
          peer not found - User-Agent: '$ua' \n");
          break;
     case -2:
          xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si',
          wrongpassword - User-Agent: '$ua' \n");
          break;
          ...
     };

www_challenge("", "1");
exit;
};
...
#######################################

sox, ffmpeg: mp3 to wav, gsm to wav

MP3 to WAV:
user@pc:~$ sox -t mp3 fromfile.mp3 -t wav -r 8k tofile.wav channels 1
user@pc:~/Downloads$ file tofile.wav
tofile.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 8000 Hz

or using mpg321:

mpg321 -w output.wav input.mp3

GSM to WAV:
lexus@lexus:~$ sox beep2.gsm -r 8000 --encoding=signed-integer beep2.wav channels 2
lexus@lexus:~$ file beep2.wav
beep2.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 8000 Hz

OGG to WAV:
lexus@lexus:~$ ffmpeg -i in_file.ogg out_file.wav

Change WAV file bitrate from 44100 to 8000:
lexus@lexus:~$ file file44100.wav
file44100.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
lexus@lexus:~$ sox file44100.wav -r 8000 file8000.wav
sox WARN rate: rate clipped 12 samples; decrease volume?
sox WARN dither: dither clipped 8 samples; decrease volume?

For newer versions of sox, working example:

stereo to mono:
sox stereo.wav mono.wav channels 1

44100 t0 8000:
sox big.wav small.wav rate 8000