Linux and Unix technical recipes

Sometimes SIP Server attacked by hacker with huge number of SIP Registration.Which make mad the SIP Server.Full service can be get down. It can be blocked easily by IPTables. IPTables will work as Session Border Controller(SBC) for SIP Server. This script will work only with SIP.it will not work for TLS or SIPS.

#!/bin/sh
#
# INVITE rate, per host. Remember a successful (authenticated) call requires 2 INVITEs-
# Initial INVITE, 407 auth required (w/ nonce), INVITE with nonce and authentication.
IRATE=4/minute

# REGISTER rate, per host.
RRATE=2/minute

# All other SIP methods rate, per host. Be careful with SUBSCRIBEs, OPTIONS, CANCELs, etc.
ORATE=10/minute

# Methods for this script to ignore. These SIP methods are always allowed.
IGMETH=”OPTIONS”

# Burst
BURST=1

# Interface(s) to protect on INPUT. Seperate multiple interfaces with spaces.
# This will protect SIP services on THIS HOST.
IFACE=”eth0″

# Reject/drop action – usually something like DROP or REJECT.
# Use ACCEPT to use this script to not filter traffic but still collect statistics.
DACTION=DROP

# Protocol(s) to filter – can be either tcp or udp or both. Seperate multiples with spaces.
PROTOCOLS=”udp tcp”

# Enable logging.
#LOG=YES

# Block tel: URIs completely?
# P.S. – tel: sucks!
BLOCKTEL=yes

# Interface(s) to protect on FORWARD. Seperate multiple interfaces with spaces.
# The same hashtable will protect the entire network from the same host(s).
# Destination IP is NOT taken into consideration.
# This will protect any SIP services running on the network that uses this machine
# as a router (as long as you get the interfaces right).
#FIFACE=”eth0″

# Location of iptables binary.
IPTABLES=`which iptables`

# Search packet to this location. A larger offset looks further into the packet
# and takes more time but could catch more attacks (and false alarms).
# Remember, the method to match on is always in the beginning of the packet.
OFFSET=65

# SIP port
SPORT=5060

if [ ! "$1" ]
then
echo “SIP DoS/DDoS mitigation script for iptables
See top of script for configuration

Usage:
$0 [start|stop|status]”
exit 1
fi

if [ "$1" = "status" ]
then
$IPTABLES -L -v -n
exit
fi

# Setup iptables
$IPTABLES -F sipdos 2> /dev/null
$IPTABLES -X sipdos 2> /dev/null
$IPTABLES -N sipdos 2> /dev/null

if [ "$1" = "stop" ]
then
echo “Clearing iptables rules…”
if [ "$FIFACE" ]
then
$IPTABLES -F FORWARD 2> /dev/null
fi
$IPTABLES -F INPUT 2> /dev/null
exit
fi

# Send the right traffic through our chain
for i in $IFACE
do
for l in $PROTOCOLS
do
$IPTABLES -A INPUT -i $i -m $l -p $l –dport $SPORT -j sipdos
done
done

# Send the right forwarded traffic through our chain
if [ "$FIFACE" ]
then
for j in $FIFACE
do
for l in $PROTOCOLS
do
$IPTABLES -A FORWARD -i $j -m $l -p $l –dport $SPORT -j sipdos
done
done
fi

# “Handle” tel: URIs
if [ "$BLOCKTEL" ]
then
$IPTABLES -A sipdos -m string –string “tel:” –algo bm –to $OFFSET -j $DACTION
fi

# Ignore certain (configured) methods
if [ "$IGMETH" ]
then
for k in $IGMETH
do
$IPTABLES -A sipdos -m string –string “$k sip:” –algo bm –to $OFFSET -j ACCEPT
done
fi

# Finally set some limits…

# INVITE limit
$IPTABLES -A sipdos -m string –string “INVITE sip:” –algo bm –to $OFFSET \
-m hashlimit –hashlimit $IRATE –hashlimit-burst $BURST \
–hashlimit-mode srcip,dstport –hashlimit-name sip_i_limit -j ACCEPT

# REGISTER limit
$IPTABLES -A sipdos -m string –string “REGISTER sip:” –algo bm –to $OFFSET \
-m hashlimit –hashlimit $RRATE –hashlimit-burst $BURST \
–hashlimit-mode srcip,dstport –hashlimit-name sip_r_limit -j ACCEPT

# All other SIP packets…
$IPTABLES -A sipdos -m hashlimit –hashlimit $ORATE –hashlimit-burst $BURST \
–hashlimit-mode srcip,dstport –hashlimit-name sip_o_limit -j ACCEPT

# Take action on everything else
if [ $LOG ]
then
$IPTABLES -A sipdos -j LOG
fi

$IPTABLES -A sipdos -j $DACTION

You can easily redirect any sip uri based on opensips exec.so module on perl script. you need to load

loadmodule “exec.so”

In the route section you have to exec perl script with paramter $tu (To username) and $fu (from Username).

route {

if(method == “INVITE”) {
exec_dset(“/usr/local/bin/route.pl $fU $tU”);
sl_send_reply(“302″,”LCR Redirect”);
} else {
route(1);
}

}

In the perl script just write the follow code:

#!/bin/sh
echo sip:+121242415112@howtonix.com

NOTE: To get this to work correctly with Asterisk you need to add “promiscredir=yes” to the general section of your sip.conf

This patch adds AMR-NB support to Asterisk 1.4

(for Asterisk 1.6 check out asterisk 1.6 branch and use the
asterisk-1.6-AMR.patch patch (provided by Ivelin Ivanov))

1. create the asterisk directory

$ mkdir asterisk-1.4-SVN-AMR
$ cd asterisk-1.4-SVN-AMR/

2. checkout fontventa repository

$ svn checkout http://sip.fontventa.com/svn/asterisk/ fontventa

3. checkout Asterisk

$ svn checkout http://svn.digium.com/svn/asterisk/branches/1.4 asterisk
$ cd asterisk/

4. add AMR to Asterisk

$ patch –dry-run -p0 < ../fontventa/amr/amr-asterisk-patch.txt
$ patch -p0 < ../fontventa/amr/amr-asterisk-patch.txt
$ cd codecs
$ ln -s ../../fontventa/amr/amr_slin_ex.h
$ ln -s ../../fontventa/amr/slin_amr_ex.h
$ ln -s ../../fontventa/amr/codec_amr.c
$ mkdir amr
$ cd amr
$ wget http://www.3gpp.org/ftp/Specs/archive/26_series/26.104/26104-700.zip
$ unzip -j 26104-700.zip
$ unzip -j 26104-700_ANSI_C_source_code.zip
$ ln -s ../../../fontventa/amr/Makefile
$ cd ../..

5. build Asterisk

$ ./configure
$ make

6. configure AMR
app_h324m and app_mp4 encode AMR inside the ast_frame in RTP octed aligned mode. (RFC 4867 section 4.4).
To configure the AMR codec to use octed aligned mode add this to codecs.conf:

[amr]
octet-aligned=1

Install the CentOS kernel sources (google it)
Build the kernel source
Make sure /usr/src/kernel/.config is your kernel config
Make sure /lib/modules/`uname -r`/build points to your kernel directory

Required Packages:

1. Subversion
2. ncurses
3. ncurses-devel
4. newt
5. newt-devel
6. bison
7. bison-devel

cd /usr/src
svn co http://svn.digium.com/svn/zaptel/tags/1.4.2.1 zaptel
cd zaptel
./configure
make
make install
make config
vi /etc/init.d/zaptel
change
    this: action ”Removing zaptel module: ” rmmod zaptel
    to: action ”Removing zaptel module: ” rmmod ztdummy zaptel
mkdir -p /var/lib/digium/licenses/
useradd asterisk
echo zap/*:asterisk:asterisk:660 >> /etc/udev/permissions.d/50-udev.permissions
/sbin/udevstart
/etc/init.d/zaptel start
chkconfig –add zaptel

/etc/init.d/zaptel

If you are running a RedHat based system run
  $ make config
from within the zaptel source directory. This will create a file called zaptel in /etc/init.d/. Edit the file and search or MODULES and RMODULES, you will see a list of all of the zaptel modules i.e. wcfxo and wctdm(OLD:wcfxs). I deleted all of the entires with the quotes “” becasue I didn’t have any additional hardware and added ztdummy to both fields. You can probably just add ztdummy to the list.

Now if you type
   $ sudo service zaptel start
ztdummy should be running. If you use the ntsysv or similar gui utility you can ensure the service starts after all reboots.

sipsak -F -vvv -u 500 -H 192.168.11.33 -l 5060 -s sip:192.168.11.52

tcpdump -i eth0 -n -s0 -v udp port 5060

1. install & download Dahdi Complete package:

wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-linux-complete-2.2.0.2+2.2.0.tar.gz

make
make install

2. install & download libss7

wget http://downloads.asterisk.org/pub/telephony/libss7/libss7-1.0.2.tar.gz

make
make install
3. download & install asterisk-1.6.0.14

wget http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-1.6.0.14.tar.gz

./configure
make
make install

now edit /etc/dahdi/system.conf

bchan=2-31

mtp2=1

echocanceller=mg2,2-31

span=2,2,0,ccs,hdb3

bchan=32-62

echocanceller=mg2,32-62

span=3,3,0,ccs,hdb3

bchan=63-93

echocanceller=mg2,63-93

span=4,4,0,ccs,hdb3

bchan=94-124

echocanceller=mg2,94-124

loadzone = us

defaultzone = us

 

finally edit chan_dahdi.conf from /etc/asterisk:

language=en

context=ss7

switchtype=euroisdn

signalling=ss7

toneduration=100

usecallerid=yes

callwaiting=yes

usecallingpres=yes

callwaitingcallerid=yes

threewaycalling=yes

transfer=yes

canpark=yes

cancallforward=yes

callreturn=yes

echocancel=yes

echocancelwhenbridged=yes

group= 1

callgroup=1

pickupgroup=1

ss7type = itu

ss7_called_nai=dynamic

ss7_calling_nai=dynamic

linkset = 1

pointcode = 1024

adjpointcode = 1234

defaultdpc = 1234

networkindicator=national

cicbeginswith = 2

mtp2=1

sigchan = 1

channel = 2-31

cicbeginswith = 32

channel =33-62

cicbeginswith = 63

channel =63-93

cicbeginswith = 94

channel = 94-124

 

Your free SIP Outbound Proxy Service, bypass local  ISPs’ blocking, start using your broadband phone.

http://freesps.googlepages.com/