{"id":843,"date":"2015-07-26T16:26:03","date_gmt":"2015-07-26T11:26:03","guid":{"rendered":"http:\/\/alexeyka.zantsev.com\/?p=843"},"modified":"2015-10-05T15:10:06","modified_gmt":"2015-10-05T10:10:06","slug":"opensips-protecting-from-undesidered-requests","status":"publish","type":"post","link":"https:\/\/alexeyka.zantsev.com\/?p=843","title":{"rendered":"OpenSIPS: protecting from undesired requests"},"content":{"rendered":"<p>Original: <a href=\"http:\/\/lists.opensips.org\/pipermail\/users\/2013-March\/024887.html\" target=\"_blank\">http:\/\/lists.opensips.org\/pipermail\/users\/2013-March\/024887.html<\/a><\/p>\n<blockquote><p>A few suggestions (mostly already suggested by many guys in this thread, i<br \/>\nam only arranging their order to a secure setup), opensips log level should<br \/>\nbe at least 2.<\/p>\n<p>1. I usually filter out all known nasty users \/ attackers right in sanity<br \/>\ncheck section of default request route. My sanity check section structured<br \/>\nsomething like this,<\/p>\n<p>    a). check max forwards.<br \/>\n    b). check message size.<br \/>\n    c). check user-agent string against filter list, you can use<br \/>\npermissions module for this as well as hard code user-agents as Nick<br \/>\nsuggested.<\/p><\/blockquote>\n<pre>\r\n############################################\r\nroute {\r\nif (!mf_process_maxfwd_header(\"10\")) {\r\n     sl_send_reply(\"483\",\"Too Many Hops\");\r\n     exit;\r\n};\r\n\r\nif (msg:len > max_len) {\r\n     sl_send_reply(\"513\",\"Message Too Big\");\r\n     exit;\r\n};\r\n\r\nif ($ua =~ \"friendly-scanner\") {\r\n     xlog(\"L_WARN\", \"[$pr:$fU@$si:$sp]: Rejecting '$rm' request from bogus device '$ua' \\n\");\r\n     exit;\r\n};\r\n...\r\n#####################################\r\n<\/pre>\n<blockquote><p>2. Then in authentication section, i make sure to authenticate both INVITE<br \/>\nand REGISTER requests, you check ret-code for both www-authorize and<br \/>\nproxy-authorize methods and if it is -1 or -2 then do xlog to print log on<br \/>\nintruder which is picked by fail2ban to block the user (make sure text<br \/>\npattern in your xlog matches failregex in fail2ban! ).\n<\/p><\/blockquote>\n<p>Negative code meanings: <a href=\"http:\/\/www.opensips.org\/html\/docs\/modules\/2.1.x\/auth_db.html#id293676l\" target=\"_blank\">http:\/\/www.opensips.org\/html\/docs\/modules\/2.1.x\/auth_db.html#id293676<\/a><\/p>\n<pre>\r\n#####################################\r\n...\r\nif (!www_authorize(\"\",\"subscriber\")) {\r\n\r\n     switch ($retcode) {\r\n     case -1:\r\n          xlog(\"L_NOTICE\", \"[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si',\r\n          peer not found - User-Agent: '$ua' \\n\");\r\n          break;\r\n     case -2:\r\n          xlog(\"L_NOTICE\", \"[$pr:$fU@$si:$sp]: Auth error for '$tU' from '$si',\r\n          wrongpassword - User-Agent: '$ua' \\n\");\r\n          break;\r\n          ...\r\n     };\r\n\r\nwww_challenge(\"\", \"1\");\r\nexit;\r\n};\r\n...\r\n#######################################\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Original: http:\/\/lists.opensips.org\/pipermail\/users\/2013-March\/024887.html A few suggestions (mostly already suggested by many guys in this thread, i am only arranging their order to a secure setup), opensips log level should be at least 2. 1. I usually filter out all known nasty users \/ attackers right in sanity check section of default request route. My sanity check [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[208],"class_list":["post-843","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-opensips"],"_links":{"self":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=843"}],"version-history":[{"count":11,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/843\/revisions"}],"predecessor-version":[{"id":868,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/843\/revisions\/868"}],"wp:attachment":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}