{"id":1194,"date":"2018-05-23T09:17:28","date_gmt":"2018-05-23T04:17:28","guid":{"rendered":"http:\/\/alexeyka.zantsev.com\/?p=1194"},"modified":"2021-02-28T01:34:58","modified_gmt":"2021-02-27T20:34:58","slug":"opensips-clients-ip-address-blacklisting-with-iptables-rule-expiration","status":"publish","type":"post","link":"https:\/\/alexeyka.zantsev.com\/?p=1194","title":{"rendered":"SIP flood vs OpenSIPS armed with pike.so, exec.so, ipset and iptables"},"content":{"rendered":"

Preface: the PIKE<\/a> module itself blocks SIP requests (just stops sending any replies) in case of flood. This article is about going on – adding flooding IP addresses to ipset for further rejecting any traffic to the OpenSIPS server using iptables.<\/p>\n

1. Create an ipset with auto removing addresses after 120 seconds and ability to add comments.<\/p>\n

ipset create SIPFLOOD hash:ip timeout 120 comment\n<\/pre>\n
2. An iptables rule, which will drop incoming traffic from src IP addresses from created ipset table:<\/p>\n
iptables -A INPUT -m set --match-set SIPFLOOD src -j DROP\n<\/pre>\n
3. Allow OpenSIPS’ run-user (usually ‘opensips’) executing ‘ipset’ command without a password (add this line to \/etc\/sudoers using ‘visudo’ command):<\/p>\n
opensips ALL= NOPASSWD: \/sbin\/ipset\n<\/pre>\n
4. OpenSIPS configuration.<\/p>\n
Part of modules section of config:

\n#### exec
\nloadmodule \"exec.so\"<\/code><\/p>\n

\n<\/code><\/p>\n
#### antiflood module
\nloadmodule \"pike.so\"
\nmodparam(\"pike\", \"sampling_time_unit\", 2)
\nmodparam(\"pike\", \"reqs_density_per_unit\", 10)
\nmodparam(\"pike\", \"remove_latency\", 120)
\n<\/code><\/p>\n
Part of OpenSIPS script, assuming that somebody sends us too much OPTIONS requests:<\/p>\n
if(is_method(\"OPTIONS\")) {\n\n    pike_check_req();\n    switch($retcode) {\n        case -2:    # detected once - simply drop the request\n            exit;\n        case -1:    # detected again - ban the IP and drop request\n            exec(\"\/usr\/bin\/sudo ipset -exist add SIPFLOOD $si\");\n            exit;\n    }\n\n    sl_send_reply(\"200\", \"OK\");\n    exit;\n}\n<\/pre>\n
5. You may test all this with ‘sipp’ tool.<\/p>\n
This is for generating 10 requests (-r) in 2 seconds (-rp 2000) and exiting sipp after sending 10 requests (-m):<\/p>\n
sipp 172.16.0.222 -r 10 -rp 2000 -m 10 -sf OPTIONS.xml\n<\/pre>\n
This – for generating 70 requests (-r) in 2 seconds (-rp 2000) and exiting sipp after sending 70 requests (-m):<\/p>\n
sipp 172.16.0.222 -r 70 -rp 2000 -m 70 -sf OPTIONS.xml\n<\/pre>\n
The OPTIONS.xml is as follows:<\/p>\n
\"\"<\/a><\/p>\n\n\n
UPD 2019-july-30: pike writes log messages (at least in automatic mode, but I’m sure that also in the manual ):<\/p>\n\n\n\n
 Jul 30 06:59:05 ... \/opensips[15531]: PIKE - BLOCKing ip 46.166.151.117, node=0x7f6dec201c08
 Jul 30 06:59:05 ... \/opensips[15533]: PIKE - UNBLOCKing node 0x7f6dec201b38
 Jul 30 06:59:07 ... \/opensips[15531]: PIKE - BLOCKing ip 46.166.151.163, node=0x7f6dec201d40
<\/pre>\n\n\n\n
If you do not need all these messages (in case of SIP flood it may be too many), just set the log_level for pike.so module:<\/p>\n\n\n\n
modparam(\"pike\", \"pike_log_level\", 3)<\/pre>\n\n\n\n
And then set the log_level for your OpenSIPS to be not so verbose (pike’s log_level must be greater than global):<\/p>\n\n\n\n
opensips-cli -x mi log_level 2<\/pre>\n\n\n\n
… or\/and in config file:<\/p>\n\n\n\n
log_level=2<\/pre>\n","protected":false},"excerpt":{"rendered":"
Preface: the PIKE module itself blocks SIP requests (just stops sending any replies) in case of flood. This article is about going on – adding flooding IP addresses to ipset for further rejecting any traffic to the OpenSIPS server using iptables. 1. Create an ipset with auto removing addresses after 120 seconds and ability to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[208],"class_list":["post-1194","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-opensips"],"_links":{"self":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/1194","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1194"}],"version-history":[{"count":30,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/1194\/revisions"}],"predecessor-version":[{"id":3645,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/1194\/revisions\/3645"}],"wp:attachment":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}