bastion@host:~$ cat pids.txt
1111
2222
3333
4444
bastion@host:~$ echo $(cat pids.txt)
1111 2222 3333 4444
for i in `echo $(cat killpids.txt)`
UPD: a note with alternative commands from Liviu Chircu, OpenSIPS core developer:
1. instead of `echo $(cat pids.txt)`, a better alternative would be: `cat pids.txt | xargs` 2. instead of "for i in `echo $(cat pids.txt)`; do kill -9 $i; done", a better option would be: `cat pids.txt | xargs kill -9`
dpz2-pbx ~ # cat /usr/lib/tmpfiles.d/tmp.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# Clear tmp directories separately, to make them easier to override
v /tmp 1777 root root 10d
v /var/tmp 1777 root root 30d
# Exclude namespace mountpoints created with PrivateTmp=yes
x /tmp/systemd-private-%b-*
X /tmp/systemd-private-%b-*/tmp
x /var/tmp/systemd-private-%b-*
X /var/tmp/systemd-private-%b-*/tmp
# Disable auto-remove of /tmp/opensips_fifo x /tmp/opensips_fifo
Draft for myself
https://github.com/sipwise/rtpengine
root@debian-opensips:~/rtpengine-mr6.3.1# dpkg-checkbuilddeps
dpkg-checkbuilddeps: error: Unmet build dependencies: debhelper (>= 10~) iptables-dev (>= 1.4) libavcodec-dev (>= 6:10) libavfilter-dev (>= 6:10) libavformat-dev (>= 6:10) libavutil-dev (>= 6:10) libbcg729-dev libcurl4-openssl-dev | libcurl4-gnutls-dev | libcurl3-openssl-dev | libcurl3-gnutls-dev libevent-dev (>= 2.0) libglib2.0-dev (>= 2.30) libhiredis-dev libjson-glib-dev libpcap0.8-dev | libpcap-dev libpcre3-dev libswresample-dev (>= 6:10) libxmlrpc-c3-dev (>= 1.16.07) | libxmlrpc-core-c3-dev (>= 1.16.07) markdown
debhelper iptables-dev libavcodec-dev libavfilter-dev libavformat-dev libavutil-dev libbcg729-dev libcurl4-openssl-dev | libcurl4-gnutls-dev | libcurl3-openssl-dev | libcurl3-gnutls-dev libevent-dev libglib2.0-dev libhiredis-dev libjson-glib-dev libpcap0.8-dev | libpcap-dev libpcre3-dev libswresample-dev libxmlrpc-c3-dev | libxmlrpc-core-c3-dev markdown
Desided to install all:
root@debian-opensips:~/rtpengine-mr6.3.1# apt install debhelper iptables-dev libavcodec-dev libavfilter-dev libavformat-dev libavutil-dev libbcg729-dev libcurl4-openssl-dev libcurl4-gnutls-dev libevent-dev libglib2.0-dev libhiredis-dev libjson-glib-dev libpcap0.8-dev libpcap-dev libpcre3-dev libswresample-dev libxmlrpc-c3-dev libxmlrpc-core-c3-dev markdown
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'libcurl4-openssl-dev' instead of 'libcurl3-openssl-dev'
Note, selecting 'libcurl4-gnutls-dev' instead of 'libcurl3-gnutls-dev'
E: Unable to locate package libbcg729-dev
E: Unable to locate package libxmlrpc-c3-dev
root@debian-opensips:~/rtpengine-mr6.3.1# apt install debhelper iptables-dev libavcodec-dev libavfilter-dev libavformat-dev libavutil-dev libbcg729-dev libcurl4-openssl-dev libcurl4-gnutls-dev libevent-dev libglib2.0-dev libhiredis-dev libjson-glib-dev libpcap0.8-dev libpcap-dev libpcre3-dev libswresample-dev libxmlrpc-c3-dev libxmlrpc-core-c3-dev markdown
Download from here https://deb.sipwise.com/spce/mr6.2.1/pool/main/b/bcg729/ , instruction about this is here https://github.com/sipwise/rtpengine/tree/mr6.3.1
in ‘G.729 support’ chapter.
root@debian-opensips:~/rtpengine-mr6.3.1# wget https://deb.sipwise.com/spce/mr6.2.1/pool/main/b/bcg729/libbcg729-0_1.0.4+git20180222-0.1~bpo9+1_amd64.deb
root@debian-opensips:~/rtpengine-mr6.3.1# wget https://deb.sipwise.com/spce/mr6.2.1/pool/main/b/bcg729/libbcg729-dev_1.0.4+git20180222-0.1~bpo9+1_amd64.deb
Install
root@debian-opensips:~/rtpengine-mr6.3.1# dpkg -i libbcg729-0_1.0.4+git20180222-0.1~bpo9+1_amd64.deb
root@debian-opensips:~/rtpengine-mr6.3.1# dpkg -i libbcg729-dev_1.0.4+git20180222-0.1~bpo9+1_amd64.deb
Try to install all again:
root@debian-opensips:~/rtpengine-mr6.3.1# apt install debhelper iptables-dev libavcodec-dev libavfilter-dev libavformat-dev libavutil-dev libbcg729-dev libcurl4-openssl-dev libcurl4-gnutls-dev libevent-dev libglib2.0-dev libhiredis-dev libjson-glib-dev libpcap0.8-dev libpcap-dev libpcre3-dev libswresample-dev libxmlrpc-c3-dev libxmlrpc-core-c3-dev markdown
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package libxmlrpc-c3-dev
Trying to install these pkgs:
libxmlrpc-core-c3 libxmlrpc-core-c3-dev
No such a package in Debian!(( libxmlrpc-c3-dev , trying without it…
Trying without it and get an error:
The following packages have unmet dependencies:
libcurl4-gnutls-dev : Conflicts: libcurl4-openssl-dev but 7.52.1-5+deb9u6 is to be installed
libcurl4-openssl-dev : Conflicts: libcurl4-gnutls-dev but 7.52.1-5+deb9u6 is to be installed
The conflict was because of need either gnutls or openssl. I installed gnutls:
apt install debhelper iptables-dev libavcodec-dev libavfilter-dev libavformat-dev libavutil-dev libbcg729-dev libcurl4-gnutls-dev libevent-dev libglib2.0-dev libhiredis-dev libjson-glib-dev libpcap0.8-dev libpcap-dev libpcre3-dev libswresample-dev libxmlrpc-core-c3-dev markdown
Now dpkg-checkbuilddeps shows no errors! :)
Trying to create packages:
dpkg-buildpackage
Success!!!
-rw-r--r-- 1 root root 87K июн 20 10:18 ngcp-rtpengine_6.3.1.1+0~mr6.3.1.1_all.deb -rw-r--r-- 202K 10:18 ngcp-rtpengine-daemon_6.3.1.1+0~mr6.3.1.1_amd64.deb -rw-r--r-- 934K 10:18 ngcp-rtpengine-daemon-dbgsym_6.3.1.1+0~mr6.3.1.1_amd64.deb -rw-r--r-- 33K 10:18 ngcp-rtpengine-iptables_6.3.1.1+0~mr6.3.1.1_amd64.deb -rw-r--r-- 2,3K 10:18 ngcp-rtpengine-iptables-dbgsym_6.3.1.1+0~mr6.3.1.1_amd64.deb -rw-r--r-- 52K 10:18 ngcp-rtpengine-kernel-dkms_6.3.1.1+0~mr6.3.1.1_all.deb -rw-r--r-- 80K 10:18 ngcp-rtpengine-kernel-source_6.3.1.1+0~mr6.3.1.1_all.deb -rw-r--r-- 67K 10:18 ngcp-rtpengine-recording-daemon_6.3.1.1+0~mr6.3.1.1_amd64.deb -rw-r--r-- 217K 10:18 ngcp-rtpengine-recording-daemon-dbgsym_6.3.1.1+0~mr6.3.1.1_amd64.deb -rw-r--r-- 50K 10:18 ngcp-rtpengine-utils_6.3.1.1+0~mr6.3.1.1_all.deb
And install (as recommended in manual) libavcodec-extra packages from Debian repositories.
Trying to install ‘ dpkg -i ngcp-rtpengine-kernel-dkms_6.3.1.1+0~mr6.3.1.1_all.deb’
Get and error about ‘dkms’ package abscence.
Trying to install ‘dkms’ – errors about some packages abscence. Offers to do ‘apt –fix-broken install’. I agree, and it installs many additional packages.
I try to install these created packages again:
ngcp-rtpengine-kernel-dkms_6.3.1.1+0~mr6.3.1.1_all.deb
ngcp-rtpengine-kernel-source_6.3.1.1+0~mr6.3.1.1_all.deb
ngcp-rtpengine-recording-daemon-dbgsym_6.3.1.1+0~mr6.3.1.1_amd64.deb
ngcp-rtpengine-recording-daemon_6.3.1.1+0~mr6.3.1.1_amd64.deb
ngcp-rtpengine-utils_6.3.1.1+0~mr6.3.1.1_all.deb
At this moment I check installed packages with ‘dpkg -l | grep ngcp’ and see that they are alll already installed, marked with ‘ii’, but I go on:
ngcp-rtpengine-iptables-dbgsym_6.3.1.1+0~mr6.3.1.1_amd64.deb
ngcp-rtpengine-iptables_6.3.1.1+0~mr6.3.1.1_amd64.deb
ngcp-rtpengine-daemon-dbgsym_6.3.1.1+0~mr6.3.1.1_amd64.deb
ngcp-rtpengine-daemon_6.3.1.1+0~mr6.3.1.1_amd64.deb
ngcp-rtpengine_6.3.1.1+0~mr6.3.1.1_all.deb
Maybe some initialization scripts are configured during manual installation:
root@debian-opensips:~# dpkg -i ngcp-rtpengine-daemon_6.3.1.1+0~mr6.3.1.1_amd64.deb
(Reading database ... 66096 files and directories currently installed.)
Preparing to unpack ngcp-rtpengine-daemon_6.3.1.1+0~mr6.3.1.1_amd64.deb ...
Unpacking ngcp-rtpengine-daemon (6.3.1.1+0~mr6.3.1.1) over (6.3.1.1+0~mr6.3.1.1) ...
Setting up ngcp-rtpengine-daemon (6.3.1.1+0~mr6.3.1.1) ...
Processing triggers for systemd (232-25+deb9u3) ..
Seems strange that this package hasn’t been installed as a dependency:
apt install ffmpeg
At this moment, rtpengine supports these codecs:
root@debian-opensips:~# rtpengine --codecs
PCMA: fully supported
PCMU: fully supported
G723: fully supported
G722: fully supported
QCELP: supported for decoding only
G729: fully supported
speex: fully supported
GSM: fully supported
iLBC: not supported
opus: fully supported
vorbis: fully supported
ac3: fully supported
eac3: fully supported
ATRAC3: supported for decoding only
ATRAC-X: supported for decoding only
EVRC: supported for decoding only
EVRC0: supported for decoding only
EVRC1: supported for decoding only
AMR: fully supported
AMR-WB: fully supported
PCM-S16LE: fully supported
MP3: fully supported
Very good, but I also need iLBC.
Install package:
libavcodec57
Check:
ffmpeg -decoders
ffmpeg -encoders
No success((
Found Debian packages!
Repository: http://www.deb-multimedia.org/debian-m
Add repo to our system:
deb http://mirror.yandex.ru/debian-multimedia/ stable main non-free
deb-src http://mirror.yandex.ru/debian-multimedia/ stable main non-free
Add repo’s gpg:
wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2016.8.1_all.deb
dpkg -i deb-multimedia-keyring_2016.8.1_all.deb
apt update
apt install libilbc2 libilbc-dev
Voila!
root@debian-opensips:~# !532
rtpengine --codecs
PCMA: fully supported
PCMU: fully supported
G723: fully supported
G722: fully supported
QCELP: supported for decoding only
G729: fully supported
speex: fully supported
GSM: fully supported
iLBC: fully supported
opus: fully supported
vorbis: fully supported
ac3: fully supported
eac3: fully supported
ATRAC3: supported for decoding only
ATRAC-X: supported for decoding only
EVRC: supported for decoding only
EVRC0: supported for decoding only
EVRC1: supported for decoding only
AMR: fully supported
AMR-WB: fully supported
PCM-S16LE: fully supported
MP3: fully supported
Rtpengine minimal start command:
rtpengine -i enp0s3/10.145.213.88 -l 10.145.213.88:9876
For these WARNS in syslog:
Jun 20 17:35:13 debian-opensips rtpengine[4029]: WARNING: Failed to properly parse UDP command line '4296_1 d7:command4:pinge' from 127.0.0.1:60637, using fallback RE
found this:
https://github.com/sipwise/rtpengine/issues/266
Advice – to start with ‘–listen-ng’ option:
rtpengine -i lo/127.0.0.1 --listen-udp=127.0.0.1:12221 --listen-ng=127.0.0.1:12222
or with CLI support:
rtpengine -i enp0s3/10.145.213.88 --listen-ng=10.145.213.88:12222 --listen-cli=10.145.213.88:12555
to use it:
rtpengine-ctl -ip 10.145.213.88 -port 12555 list totals
And modify OpenSIPS config (add new port with NG):
modparam("rtpengine", "rtpengine_sock", "udp:localhost:12222")
Works!!!
# rtpengine, may depend on tm // (optional) if you want to have rtpengine_manage() fully functional
# rtpengine -i enp0s3/10.145.213.88 --listen-ng=10.145.213.88:12222
loadmodule "rtpengine.so"
modparam("rtpengine", "rtpengine_sock", "udp:10.145.213.88:12222")
Great! OpenSIPS starts without any warnings.
OpenSIPS config:
What flags to use (by Kirill Galinurov):
$var(rtpengine_flags) = "RTP/AVP replace-session-connection replace-origin ICE=remove"
rtpengine_offer("$var(rtpengine_flags)");
My rtpengine re-writes SDP with 127.0.0.1 IP address – because I started it listening on 127.0.0.1.
But we need to start it on a non-localhost IP address.
By Kirill Galinurov:
RTP_IP[0]=external/185.128.105.15 # (m) Local IPv4/6 address for RTP. The format of the value is [NAME/]IP[!IP].
RTP_IP[1]=internal/172.20.99.247
“loopback is also possible”:
lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 185.128.105.15/32 brd 185.128.105.15 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
To start re-writing of IP addresses in SDP, don’t follow rtpengine module docs,
but just create global onreply_route, and use there rtpengine_answer() function without flags.
After that, you’ll have IP addresses in SDP rewritten.
But still no transcoding at this stage(
if (is_method("INVITE")) {
lookup("location");
if (has_body("application/sdp")) {
#if (rtpengine_offer("RTP/AVP replace-origin replace-session-connection ICE=remove codec-mask-PCMA codec-strip-PCMU transcode-PCMU"))
if (rtpengine_offer("RTP/AVP replace-origin replace-session-connection ICE=remove always-transcode"))
#if (rtpengine_offer("RTP/AVP replace-origin replace-session-connection ICE=remove"))
t_on_reply("1");
} else {
t_on_reply("2");
}
}
if (is_method("ACK") && has_body("application/sdp"))
rtpengine_answer();
route(relay);
onreply_route
{
if (has_body("application/sdp"))
rtpengine_answer();
}
Also check: http://opensips.org/pub/events/2015-05-12_OpenSIPS-Summit_Amsterdam/Razva_Crainea-OpenSIPS_Summit2015-EdgeProxy.cfg
And comment from Razvan how to use flags: https://github.com/OpenSIPS/opensips/issues/1288#issuecomment-367293070
To pick a part of dump from 15:55 to 15:59, do:
lexus@lexus:~$ editcap -A '2018-07-26 15:55:00' -B '2018-07-26 15:59:00' 2018-07-26_full.pcap 2018-07-26_part.pcap
Up-to-date packages for Debian 8.
Never heard about this repo.
https://www.dotdeb.org
root@lexus:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
user_name PPTP PpTpPaSs 85.233.x.x
Create connection config file /etc/ppp/peers/SLC
pty "pptp 85.233.x.x --nolaunchpppd"
name user_name
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
Create a script to auto-add route to the target host, to which you want to connect via VPN (172.24.10.13) /etc/ppp/ip-up.d/routes
#!/bin/sh
/bin/ip route add 172.24.10.13 dev ppp0
Fire!
pppd call SLC
Disconnect:
killall pppd
If there’s no settings in the application itself, you can configure rsyslog not to write apps logs.
CentOS 6.6, rsyslog 5.8.10-10.el6_6:
Asterisk is configured to write logs to remote syslog server (syslog02.core) but still writes not only there but also locally.
To prevent this:
create ‘/etc/rsyslog.d/10-asterisk.conf’ with lines
:syslogtag, contains, "asterisk" @syslog02.core
& stop
Debian 9.4 Stretch, rsyslog 8.24.0-1:
Asterisk is nt configured to write to remote syslog, but also writes everything to local rsyslog.
Create ‘/etc/rsyslog.d/10-asterisk.conf’:
if $programname == "asterisk" then {
stop
}
https://www.rsyslog.com/doc/v8-stable/configuration/filters.html
https://www.rsyslog.com/discarding-unwanted-messages/
Just an example for Debian 9.
1. Install ‘iptables-persistent’ package. Agree during installation the rules to be saved to /etc/iptables/rules.v4 .
2. Add rules (e.g. from console):
iptables -P OUTPUDT DROP
iptables -A OUTPUT -d 192.168.0.1 -j ACCEPT
3. Save rules:
netfilter-persistent save
4. Reboot and enjoy.
5. If you need to add/delete/edit rules, edit /etc/iptables/rules.v4 and then run ‘netfilter-persistent start’ to re-read the file.
Preface: the PIKE module itself blocks SIP requests (just stops sending any replies) in case of flood. This article is about going on – adding flooding IP addresses to ipset for further rejecting any traffic to the OpenSIPS server using iptables.
1. Create an ipset with auto removing addresses after 120 seconds and ability to add comments.
ipset create SIPFLOOD hash:ip timeout 120 comment
2. An iptables rule, which will drop incoming traffic from src IP addresses from created ipset table:
iptables -A INPUT -m set --match-set SIPFLOOD src -j DROP
3. Allow OpenSIPS’ run-user (usually ‘opensips’) executing ‘ipset’ command without a password (add this line to /etc/sudoers using ‘visudo’ command):
opensips ALL= NOPASSWD: /sbin/ipset
4. OpenSIPS configuration.
Part of modules section of config:
#### exec
loadmodule "exec.so"
#### antiflood module
loadmodule "pike.so"
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 10)
modparam("pike", "remove_latency", 120)
Part of OpenSIPS script, assuming that somebody sends us too much OPTIONS requests:
if(is_method("OPTIONS")) {
pike_check_req();
switch($retcode) {
case -2: # detected once - simply drop the request
exit;
case -1: # detected again - ban the IP and drop request
exec("/usr/bin/sudo ipset -exist add SIPFLOOD $si");
exit;
}
sl_send_reply("200", "OK");
exit;
}
5. You may test all this with ‘sipp’ tool.
This is for generating 10 requests (-r) in 2 seconds (-rp 2000) and exiting sipp after sending 10 requests (-m):
sipp 172.16.0.222 -r 10 -rp 2000 -m 10 -sf OPTIONS.xml
This – for generating 70 requests (-r) in 2 seconds (-rp 2000) and exiting sipp after sending 70 requests (-m):
sipp 172.16.0.222 -r 70 -rp 2000 -m 70 -sf OPTIONS.xml
The OPTIONS.xml is as follows:
UPD 2019-july-30: pike writes log messages (at least in automatic mode, but I’m sure that also in the manual ):
Jul 30 06:59:05 ... /opensips[15531]: PIKE - BLOCKing ip 46.166.151.117, node=0x7f6dec201c08
Jul 30 06:59:05 ... /opensips[15533]: PIKE - UNBLOCKing node 0x7f6dec201b38
Jul 30 06:59:07 ... /opensips[15531]: PIKE - BLOCKing ip 46.166.151.163, node=0x7f6dec201d40
If you do not need all these messages (in case of SIP flood it may be too many), just set the log_level for pike.so module:
modparam("pike", "pike_log_level", 3)
And then set the log_level for your OpenSIPS to be not so verbose (pike’s log_level must be greater than global):
opensips-cli -x mi log_level 2
… or/and in config file:
log_level=2