Uncategorized « philologist's techblog

Archive for the ‘Uncategorized’ Category

OpenSIPS: protecting from undesired requests

Sunday, July 26th, 2015

Original: http://lists.opensips.org/pipermail/users/2013-March/024887.html

A few suggestions (mostly already suggested by many guys in this thread, i
am only arranging their order to a secure setup), opensips log level should
be at least 2.

1. I usually filter out all known nasty users / attackers right in sanity
check section of default request route. My sanity check section structured
something like this,

a). check max forwards.
b). check message size.
c). check user-agent string against filter list, you can use
permissions module for this as well as hard code user-agents as Nick
suggested.

############################################
route {
if (!mf_process_maxfwd_header("10")) {
     sl_send_reply("483","Too Many Hops");
     exit;
};

if (msg:len > max_len) {
     sl_send_reply("513","Message Too Big");
     exit;
};

if ($ua =~ "friendly-scanner") {
     xlog("L_WARN", "[$pr:$fU@$si:$sp]: Rejecting '$rm' request from bogus device '$ua' \n");
     exit;
};
...
#####################################

2. Then in authentication section, i make sure to authenticate both INVITE
and REGISTER requests, you check ret-code for both www-authorize and
proxy-authorize methods and if it is -1 or -2 then do xlog to print log on
intruder which is picked by fail2ban to block the user (make sure text
pattern in your xlog matches failregex in fail2ban! ).

Negative code meanings: http://www.opensips.org/html/docs/modules/2.1.x/auth_db.html#id293676

#####################################
...
if (!www_authorize("","subscriber")) {

     switch ($retcode) {
     case -1:
          xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si',
          peer not found - User-Agent: '$ua' \n");
          break;
     case -2:
          xlog("L_NOTICE", "[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si',
          wrongpassword - User-Agent: '$ua' \n");
          break;
          ...
     };

www_challenge("", "1");
exit;
};
...
#######################################

Tags:opensips
Posted in Uncategorized | Comments Closed

sox, ffmpeg: mp3 to wav, gsm to wav

Monday, July 6th, 2015

m4a to wav:

ffmpeg -i audiofile.m4a audiofile.wav

MP3 to WAV:
user@pc:~$ sox -t mp3 fromfile.mp3 -t wav -r 8k tofile.wav channels 1
user@pc:~/Downloads$ file tofile.wav tofile.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 8000 Hz

or using mpg321:

mpg321 -w output.wav input.mp3

GSM to WAV:
lexus@lexus:~$ sox beep2.gsm -r 8000 --encoding=signed-integer beep2.wav channels 2
lexus@lexus:~$ file beep2.wav beep2.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 8000 Hz

OGG to WAV:
lexus@lexus:~$ ffmpeg -i in_file.ogg out_file.wav

Change WAV file bitrate from 44100 to 8000:
lexus@lexus:~$ file file44100.wav file44100.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz lexus@lexus:~$ sox file44100.wav -r 8000 file8000.wav sox WARN rate: rate clipped 12 samples; decrease volume? sox WARN dither: dither clipped 8 samples; decrease volume?

For newer versions of sox, working example:

stereo to mono:
sox stereo.wav mono.wav channels 1

44100 t0 8000:
sox big.wav small.wav rate 8000

Tags:ffmpeg, sox
Posted in Uncategorized | Comments Closed

AcmePacket: Reject calls from subscribers with hidden cell number

Thursday, February 26th, 2015

Depending on GSM operator the values in SIP headers may vary. In my case if a subscriber activated the ability to hide cell number, the ‘uri-user’ parameter in SIP-header ‘From’ contains not cell number but ‘anonymous’. I had a task to reject such calls.

There already were 2 header-rules – one doing storing of ‘To’ headers’ values with VoIP provider’s DIDs inside , and the second – manipulating the ‘From’ headers, according to the stored values.

If I added the 3rd header-rule (last in the list) trying to reject anonymous calls, it haven’t worked, so it was necessary to keep it on the top of header-rules. (the ‘move’ command doesn’t work for me, though I’ve read in one Oracle/AcmePacket HMR guide that it’s possible, maybe my firmware does not support it)

Here’s the rule itself:

header-rule
		name                           rejectAnonymous
		header-name                    From
		action                         manipulate
		comparison-type                case-insensitive
		msg-type                       request
		methods                        INVITE
		match-value                    
		new-value                      
		element-rule
			name                           rejAnonymous
			parameter-name                 From
			type                           uri-user
			action                         reject
			match-val-type                 any
			comparison-type                case-insensitive
			match-value                    Anonymous
			new-value

Have a look at these nice screenshots demonstrating the initial INVITE from anonymous:

… and rejecting this call by AcmePacket 4250 with ‘400 Bad Request’ response:

Tags:acme, acme packet, acmepacket, anonymous, hmr, oracle, sbc
Posted in Uncategorized | Comments Closed

AcmePacket: reject redirected calls

Friday, February 20th, 2015

What to do if somebody set up call redirect from his number to yours one, but you do not want to accept such calls?

According to RFC5806 – Diversion Indication in SIP,

The Diversion header SHOULD be added when a SIP proxy server, SIP
redirect server, or SIP user agent changes the ultimate endpoint that
will receive the call.

So, you have to reject INVITEs with Diversion header. This is how it looks like on the AcmePacket. One more header-rule (if you already have any) in sip-manipulation rule:

header-rule
	name                           reject_diversion
	header-name                    Diversion
	action                         manipulate
	comparison-type                case-sensitive
	msg-type                       request
	methods                        INVITE
	match-value                    
	new-value                      
	element-rule
		name                           rej_diversion
		parameter-name                 
		type                           header-value
		action                         reject
		match-val-type                 any
		comparison-type                pattern-rule
		match-value                    ^.*$
		new-value

You may also add something like “603:Decline” to “new-value” parameter.

Or even like this, without any responce codes and element-rules:

header-rule
                name                                    rejectDiversion
                header-name                             Diversion
                action                                  reject
                comparison-type                         boolean
                msg-type                                request
                methods                                 INVITE
                match-value                             
                new-value

Tags:acmepacket, diversion, hmr, sbc
Posted in Uncategorized | Comments Closed

tmux

Thursday, February 19th, 2015

tmux – start tmux
Ctrl-b and then c – create new virtual screen
Ctrl-b and then w – list created virtual screens (windows), select with arrow keys
Ctrl-b and then [ – start scrolling mode. Scroll with PageUp and PageDown, ‘q’ to leave scrolling mode.
exit or Ctrl-d – close virtual screen

A nice article from my hotly favourite OpenBSD project.

Tags:tmux
Posted in Uncategorized | Comments Closed

Small console utils

Saturday, January 24th, 2015

ee – easy to use text editor
le – text editor inspired by Norton Commander
lookat – user-friendly text pager
moe – powerful and user-friendly console text editor
ne – nice console editor
ranger – minimalistic console file manager

Posted in Uncategorized | Comments Closed

MySQL: myisamchk

Monday, January 12th, 2015

Decided to get better knowledge of MySQL with crawling on http://dev.mysql.com/doc/refman/YOUR_VERSION/en/ , for example http://dev.mysql.com/doc/refman/5.7/en/ .

Before MySQL 5.5.5, MyISAM was the default storage engine. (The default was changed to InnoDB in MySQL 5.5.5.)
One of my deployments uses MySQL version prior to 5.5.5. While reading the documentation I found a nice utility, ‘myisamchk‘ and instantly decided to check with it one of *.MYI files. I was a little bit astonished when the utilite showed me some problems with one of files, while everything worked fine. This is the silent mode, only errors (if found) are showed:

root@zenwalk:~# myisamchk -s /var/lib/mysql/webapp/doityourself.MYI
myisamchk: MyISAM file /var/lib/mysql/webapp/doityourself.MYI
myisamchk: warning: 12 clients are using or haven't closed the table properly
MyISAM-table '/var/lib/mysql/webapp/doityourself.MYI' is usable but should be fixed

Normal mode:

root@zenwalk:~# myisamchk /var/lib/mysql/webapp/doityourself.MYI
Checking MyISAM file: /var/lib/mysql/webapp/doityourself.MYI
Data records:     170   Deleted blocks:       2
myisamchk: warning: 12 clients are using or haven't closed the table properly
- check file-size
- check record delete-chain
- check key delete-chain
- check index reference
- check data record references index: 1
- check data record references index: 2
- check record links
MyISAM-table '/var/lib/mysql/webapp/doityourself.MYI' is usable but should be fixed

So, let’s recover the .MYI file. Fire!

root@zenwalk:~# myisamchk --recover /var/lib/mysql/webapp/doityourself.MYI
- recovering (with sort) MyISAM-table '/var/lib/mysql/webapp/doityourself.MYI'
Data records: 170
- Fixing index 1
- Fixing index 2

Tags:myisam, myisamchk, mysql, sql
Posted in Uncategorized | Comments Closed

AcmePacket: session constraints

Wednesday, December 31st, 2014

# show sessions or # monitor session gives you a whole statistics of active sessions on your session director.

What to do if you want to see the number of sessions on each session-agent? Use # show sipd agents

This extremely useful command can help you to destinguish the suspiciously high (for your network) connections count on a concrete session-agent. And you will see the problem agent while being DDoSed or under real high load. Or just see sessions per session-agent.

# show sessions
The left column shows the number of active sessions on your Session Director. The right one demonstrates the highest number of sessions ever been on SD:

This is how # show sipd agents looks like:

The letter I in the second column means that the session agent is ‘in service’.
The letter O means that it’s ‘out of service’, unused.
The letter C means that constraints are configured and are used right now: the number of sessions is higher than allowed. The ‘Active’ column shows the number of sessions. The column ‘ConEx’ is ‘Constraints exceeded’ – the number of ignored due to the limitations sessions for the last 100 seconds.
As you can see, session-agents may be inbound and outbound. In this example we see only inbound, they are peers with SIP providers. The outbound are peers with Asterisk nodes in the core of the network, they also have such statistics.

It is possible to see a detailed statistics for any of the configured session-agents:
# show sipd agents %ip address% or # show sipd agents %session-agent name%
Have a look at session-agent which is marked with I letter (in service):

And one more example for the session-agent with ConEx – constraints exceeded:

Constraints can be configured either in # configure terminal -> session-router -> session-constraints and then applying them variant_1) on the sip-interface (# configure terminal -> session-router -> sip-interface -> constraint-name), variant_2) on a realm (# conf t -> media-manager -> realm-config), or for the session-agent directly.

Here’s an example of a directly applied (but disabled) constraint on a session-agent:

Just be sure to set ‘constraints enabled‘ in your session-agent, not only the value, otherwise they will not be applied.

Tags:acme packet, acmepacket, constraints
Posted in Uncategorized | Comments Closed

Asterisk: asterisk dead but subsys locked

Tuesday, September 23rd, 2014

Problem: After successful installation from source (CentOS 6.5 x86_64, Asterisk 11.12.1) you get:

root@twt [~]# service asterisk status asterisk is stopped root@twt [~]# service asterisk start Starting asterisk: root@twt [~]# service asterisk status asterisk dead but subsys locked root@twt [~]# asterisk -rv asterisk: error while loading shared libraries: libasteriskssl.so.1: cannot open shared object file: No such file or directory

Solution:
ln -s /usr/lib/libasteriskssl.so.1 /usr/lib64/libasteriskssl.so.1

Tags:asterisk, asterisk errors, errors
Posted in Uncategorized | Comments Closed

Unix shell: list directories only

Friday, June 27th, 2014

A simple question with the answer not so simple to find.
For a current directory:

lexus@lexus:~$ ls -dl */
drwxr-xr-x 16 lexus lexus 4096 Apr  1 16:16 KAZANTSEV/
drwxrwxr-x  3 lexus lexus 4096 Aug  5  2013 Storage/
drwxrwxr-x  2 lexus lexus 4096 Feb  9  2012 Ubuntu One/
drwxr-xr-x 11 lexus lexus 4096 Jan  3 17:14 VirtualBox VMs/
drwxrwxr-x  2 lexus lexus 4096 Jun 10 17:09 dbn/
drwxr-xr-x  2 lexus lexus 4096 Jan 10 10:41 dwhelper/
drwxr-xr-x  3 lexus lexus 4096 May  2  2012 fluxmenu/
drwxr-xr-x  2 lexus lexus 4096 Feb  5 15:28 fontconfig/
drwxrwxr-x  2 lexus lexus 4096 Apr 18 17:24 images/
drwxr-xr-x  6 lexus lexus 4096 Oct 31  2013 sipvicious-0.2.8/
lexus@lexus:~$

For some other directory:

lexus@lexus:~$ ls -dl /tmp/*/
drwx------ 2 lexus lexus 4096 May 30 07:08 /tmp/CRX_75DAF8CB7768/
drwx------ 2 lexus lexus 4096 Jun 26 12:23 /tmp/acroread_1000_1000/
drwxr-xr-x 2 lexus lexus 4096 Jun 18 16:52 /tmp/hsperfdata_lexus/
drwx------ 2 lexus lexus 4096 Jun 25 18:36 /tmp/libgksu-lBNuPo/
drwx------ 2 lexus lexus 4096 Jun  6 14:57 /tmp/mc-lexus/
drwx------ 2 lexus lexus 4096 Jan  1  1970 /tmp/orbit-lexus/
drwx------ 2 root  root  4096 Jan  1  1970 /tmp/orbit-root/
drwx------ 2 lexus lexus 4096 Jun 11 16:48 /tmp/plugtmp/
drwx------ 2 lexus lexus 4096 May 26 17:59 /tmp/ssh-ftcIDV2jxXYG/
drwx------ 2 lexus lexus 4096 May 26 17:59 /tmp/ssh-tzuelndrwY3i/
lexus@lexus:~$

Tags:ls
Posted in Uncategorized | Comments Closed

philologist's techblog