Linux and Unix technical recipes | Blog | Categories

Posts with the name or tag of Asterisk;

Block DDoS attack on SIP Server

2:29 pm in Asterisk, FreeSWITCH, Kamailio, OpenSIPS, PJSIP, Yate by emran

Sometimes SIP Server attacked by hacker with huge number of SIP Registration.Which make mad the SIP Server.Full service can be get down. It can be blocked easily by IPTables. IPTables will work as Session Border Controller(SBC) for SIP Server. This script will work only with SIP.it will not work for TLS or SIPS.

#!/bin/sh
#
# INVITE rate, per host. Remember a successful (authenticated) call requires 2 INVITEs-
# Initial INVITE, 407 auth required (w/ nonce), INVITE with nonce and authentication.
IRATE=4/minute

# REGISTER rate, per host.
RRATE=2/minute

# All other SIP methods rate, per host. Be careful with SUBSCRIBEs, OPTIONS, CANCELs, etc.
ORATE=10/minute

# Methods for this script to ignore. These SIP methods are always allowed.
IGMETH=”OPTIONS”

# Burst
BURST=1

# Interface(s) to protect on INPUT. Seperate multiple interfaces with spaces.
# This will protect SIP services on THIS HOST.
IFACE=”eth0″

# Reject/drop action – usually something like DROP or REJECT.
# Use ACCEPT to use this script to not filter traffic but still collect statistics.
DACTION=DROP

# Protocol(s) to filter – can be either tcp or udp or both. Seperate multiples with spaces.
PROTOCOLS=”udp tcp”

# Enable logging.
#LOG=YES

# Block tel: URIs completely?
# P.S. – tel: sucks!
BLOCKTEL=yes

# Interface(s) to protect on FORWARD. Seperate multiple interfaces with spaces.
# The same hashtable will protect the entire network from the same host(s).
# Destination IP is NOT taken into consideration.
# This will protect any SIP services running on the network that uses this machine
# as a router (as long as you get the interfaces right).
#FIFACE=”eth0″

# Location of iptables binary.
IPTABLES=`which iptables`

# Search packet to this location. A larger offset looks further into the packet
# and takes more time but could catch more attacks (and false alarms).
# Remember, the method to match on is always in the beginning of the packet.
OFFSET=65

# SIP port
SPORT=5060

if [ ! "$1" ]
then
echo “SIP DoS/DDoS mitigation script for iptables
See top of script for configuration

Usage:
$0 [start|stop|status]”
exit 1
fi

if [ "$1" = "status" ]
then
$IPTABLES -L -v -n
exit
fi

# Setup iptables
$IPTABLES -F sipdos 2> /dev/null
$IPTABLES -X sipdos 2> /dev/null
$IPTABLES -N sipdos 2> /dev/null

if [ "$1" = "stop" ]
then
echo “Clearing iptables rules…”
if [ "$FIFACE" ]
then
$IPTABLES -F FORWARD 2> /dev/null
fi
$IPTABLES -F INPUT 2> /dev/null
exit
fi

# Send the right traffic through our chain
for i in $IFACE
do
for l in $PROTOCOLS
do
$IPTABLES -A INPUT -i $i -m $l -p $l –dport $SPORT -j sipdos
done
done

# Send the right forwarded traffic through our chain
if [ "$FIFACE" ]
then
for j in $FIFACE
do
for l in $PROTOCOLS
do
$IPTABLES -A FORWARD -i $j -m $l -p $l –dport $SPORT -j sipdos
done
done
fi

# “Handle” tel: URIs
if [ "$BLOCKTEL" ]
then
$IPTABLES -A sipdos -m string –string “tel:” –algo bm –to $OFFSET -j $DACTION
fi

# Ignore certain (configured) methods
if [ "$IGMETH" ]
then
for k in $IGMETH
do
$IPTABLES -A sipdos -m string –string “$k sip:” –algo bm –to $OFFSET -j ACCEPT
done
fi

# Finally set some limits…

# INVITE limit
$IPTABLES -A sipdos -m string –string “INVITE sip:” –algo bm –to $OFFSET \
-m hashlimit –hashlimit $IRATE –hashlimit-burst $BURST \
–hashlimit-mode srcip,dstport –hashlimit-name sip_i_limit -j ACCEPT

# REGISTER limit
$IPTABLES -A sipdos -m string –string “REGISTER sip:” –algo bm –to $OFFSET \
-m hashlimit –hashlimit $RRATE –hashlimit-burst $BURST \
–hashlimit-mode srcip,dstport –hashlimit-name sip_r_limit -j ACCEPT

# All other SIP packets…
$IPTABLES -A sipdos -m hashlimit –hashlimit $ORATE –hashlimit-burst $BURST \
–hashlimit-mode srcip,dstport –hashlimit-name sip_o_limit -j ACCEPT

# Take action on everything else
if [ $LOG ]
then
$IPTABLES -A sipdos -j LOG
fi

$IPTABLES -A sipdos -j $DACTION

Tags: DDoS Attach on SIP Server

by emran

OpenSIPS Externel Perl Script Run

10:15 am in Asterisk, FreeBSD, Kamailio, OpenSIPS, Perl by emran

You can easily redirect any sip uri based on opensips exec.so module on perl script. you need to load

loadmodule “exec.so”

In the route section you have to exec perl script with paramter $tu (To username) and $fu (from Username).

route {

if(method == “INVITE”) {
exec_dset(“/usr/local/bin/route.pl $fU $tU”);
sl_send_reply(“302″,”LCR Redirect”);
} else {
route(1);
}

}

In the perl script just write the follow code:

#!/bin/sh
echo sip:+121242415112@howtonix.com

NOTE: To get this to work correctly with Asterisk you need to add “promiscredir=yes” to the general section of your sip.conf

Tags: Perl Opensips SIPS Redirect Kamailio

by emran

AMR Codec for Asterisk 1.4 and 1.6

12:27 pm in Asterisk by emran

This patch adds AMR-NB support to Asterisk 1.4

(for Asterisk 1.6 check out asterisk 1.6 branch and use the
asterisk-1.6-AMR.patch patch (provided by Ivelin Ivanov))

1. create the asterisk directory

$ mkdir asterisk-1.4-SVN-AMR
$ cd asterisk-1.4-SVN-AMR/

2. checkout fontventa repository

$ svn checkout http://sip.fontventa.com/svn/asterisk/ fontventa

3. checkout Asterisk

$ svn checkout http://svn.digium.com/svn/asterisk/branches/1.4 asterisk
$ cd asterisk/

4. add AMR to Asterisk

$ patch –dry-run -p0 < ../fontventa/amr/amr-asterisk-patch.txt
$ patch -p0 < ../fontventa/amr/amr-asterisk-patch.txt
$ cd codecs
$ ln -s ../../fontventa/amr/amr_slin_ex.h
$ ln -s ../../fontventa/amr/slin_amr_ex.h
$ ln -s ../../fontventa/amr/codec_amr.c
$ mkdir amr
$ cd amr
$ wget http://www.3gpp.org/ftp/Specs/archive/26_series/26.104/26104-700.zip
$ unzip -j 26104-700.zip
$ unzip -j 26104-700_ANSI_C_source_code.zip
$ ln -s ../../../fontventa/amr/Makefile
$ cd ../..

5. build Asterisk

$ ./configure
$ make

6. configure AMR
app_h324m and app_mp4 encode AMR inside the ast_frame in RTP octed aligned mode. (RFC 4867 section 4.4).
To configure the AMR codec to use octed aligned mode add this to codecs.conf:

[amr]
octet-aligned=1

by emran

How to Install ztdummy timer for CentOS

7:40 pm in Asterisk by emran

Install the CentOS kernel sources (google it)
Build the kernel source
Make sure /usr/src/kernel/.config is your kernel config
Make sure /lib/modules/`uname -r`/build points to your kernel directory

Required Packages:

Subversion
ncurses
ncurses-devel
newt
newt-devel
bison
bison-devel

cd /usr/src
svn co http://svn.digium.com/svn/zaptel/tags/1.4.2.1 zaptel
cd zaptel
./configure
make
make install
make config
vi /etc/init.d/zaptel
change
this: action ”Removing zaptel module: ” rmmod zaptel
to: action ”Removing zaptel module: ” rmmod ztdummy zaptel
mkdir -p /var/lib/digium/licenses/
useradd asterisk
echo zap/*:asterisk:asterisk:660 >> /etc/udev/permissions.d/50-udev.permissions
/sbin/udevstart
/etc/init.d/zaptel start
chkconfig –add zaptel

/etc/init.d/zaptel

If you are running a RedHat based system run
$ make config
from within the zaptel source directory. This will create a file called zaptel in /etc/init.d/. Edit the file and search or MODULES and RMODULES, you will see a list of all of the zaptel modules i.e. wcfxo and wctdm(OLD:wcfxs). I deleted all of the entires with the quotes “” becasue I didn’t have any additional hardware and added ztdummy to both fields. You can probably just add ztdummy to the list.

Now if you type
$ sudo service zaptel start
ztdummy should be running. If you use the ntsysv or similar gui utility you can ensure the service starts after all reboots.

by emran