Linux and Unix technical recipes

Sometimes SIP Server attacked by hacker with huge number of SIP Registration.Which make mad the SIP Server.Full service can be get down. It can be blocked easily by IPTables. IPTables will work as Session Border Controller(SBC) for SIP Server. This script will work only with SIP.it will not work for TLS or SIPS.

#!/bin/sh
#
# INVITE rate, per host. Remember a successful (authenticated) call requires 2 INVITEs-
# Initial INVITE, 407 auth required (w/ nonce), INVITE with nonce and authentication.
IRATE=4/minute

# REGISTER rate, per host.
RRATE=2/minute

# All other SIP methods rate, per host. Be careful with SUBSCRIBEs, OPTIONS, CANCELs, etc.
ORATE=10/minute

# Methods for this script to ignore. These SIP methods are always allowed.
IGMETH=”OPTIONS”

# Burst
BURST=1

# Interface(s) to protect on INPUT. Seperate multiple interfaces with spaces.
# This will protect SIP services on THIS HOST.
IFACE=”eth0″

# Reject/drop action – usually something like DROP or REJECT.
# Use ACCEPT to use this script to not filter traffic but still collect statistics.
DACTION=DROP

# Protocol(s) to filter – can be either tcp or udp or both. Seperate multiples with spaces.
PROTOCOLS=”udp tcp”

# Enable logging.
#LOG=YES

# Block tel: URIs completely?
# P.S. – tel: sucks!
BLOCKTEL=yes

# Interface(s) to protect on FORWARD. Seperate multiple interfaces with spaces.
# The same hashtable will protect the entire network from the same host(s).
# Destination IP is NOT taken into consideration.
# This will protect any SIP services running on the network that uses this machine
# as a router (as long as you get the interfaces right).
#FIFACE=”eth0″

# Location of iptables binary.
IPTABLES=`which iptables`

# Search packet to this location. A larger offset looks further into the packet
# and takes more time but could catch more attacks (and false alarms).
# Remember, the method to match on is always in the beginning of the packet.
OFFSET=65

# SIP port
SPORT=5060

if [ ! "$1" ]
then
echo “SIP DoS/DDoS mitigation script for iptables
See top of script for configuration

Usage:
$0 [start|stop|status]”
exit 1
fi

if [ "$1" = "status" ]
then
$IPTABLES -L -v -n
exit
fi

# Setup iptables
$IPTABLES -F sipdos 2> /dev/null
$IPTABLES -X sipdos 2> /dev/null
$IPTABLES -N sipdos 2> /dev/null

if [ "$1" = "stop" ]
then
echo “Clearing iptables rules…”
if [ "$FIFACE" ]
then
$IPTABLES -F FORWARD 2> /dev/null
fi
$IPTABLES -F INPUT 2> /dev/null
exit
fi

# Send the right traffic through our chain
for i in $IFACE
do
for l in $PROTOCOLS
do
$IPTABLES -A INPUT -i $i -m $l -p $l –dport $SPORT -j sipdos
done
done

# Send the right forwarded traffic through our chain
if [ "$FIFACE" ]
then
for j in $FIFACE
do
for l in $PROTOCOLS
do
$IPTABLES -A FORWARD -i $j -m $l -p $l –dport $SPORT -j sipdos
done
done
fi

# “Handle” tel: URIs
if [ "$BLOCKTEL" ]
then
$IPTABLES -A sipdos -m string –string “tel:” –algo bm –to $OFFSET -j $DACTION
fi

# Ignore certain (configured) methods
if [ "$IGMETH" ]
then
for k in $IGMETH
do
$IPTABLES -A sipdos -m string –string “$k sip:” –algo bm –to $OFFSET -j ACCEPT
done
fi

# Finally set some limits…

# INVITE limit
$IPTABLES -A sipdos -m string –string “INVITE sip:” –algo bm –to $OFFSET \
-m hashlimit –hashlimit $IRATE –hashlimit-burst $BURST \
–hashlimit-mode srcip,dstport –hashlimit-name sip_i_limit -j ACCEPT

# REGISTER limit
$IPTABLES -A sipdos -m string –string “REGISTER sip:” –algo bm –to $OFFSET \
-m hashlimit –hashlimit $RRATE –hashlimit-burst $BURST \
–hashlimit-mode srcip,dstport –hashlimit-name sip_r_limit -j ACCEPT

# All other SIP packets…
$IPTABLES -A sipdos -m hashlimit –hashlimit $ORATE –hashlimit-burst $BURST \
–hashlimit-mode srcip,dstport –hashlimit-name sip_o_limit -j ACCEPT

# Take action on everything else
if [ $LOG ]
then
$IPTABLES -A sipdos -j LOG
fi

$IPTABLES -A sipdos -j $DACTION

By default the size of private memory chunk used by each OpenSIPS process is 1 MB.

To increase the size of private memory you need to compile OpenSIPS from sources. Once you get the sources from SVN or the opensips.org’s download site, do the following steps:

- edit the file “config.h” and search for the next lines:

/*used only if PKG_MALLOC is defined*/
#define PKG_MEM_POOL_SIZE 1024*1024

- change the value of PKG_MEM_POOL_SIZE to desired size, for example to have 4MB of private memory:

#define PKG_MEM_POOL_SIZE 4*1024*1024

- recompile and reinstall OpenSIPS

make all; make install;

To increase the share memory size use ‘-m’ command line parameter of OpenSIPS.

opensips -m 256

# this will run OpenSIPS with 256MB of share memory

You can easily redirect any sip uri based on opensips exec.so module on perl script. you need to load

loadmodule “exec.so”

In the route section you have to exec perl script with paramter $tu (To username) and $fu (from Username).

route {

if(method == “INVITE”) {
exec_dset(“/usr/local/bin/route.pl $fU $tU”);
sl_send_reply(“302″,”LCR Redirect”);
} else {
route(1);
}

}

In the perl script just write the follow code:

#!/bin/sh
echo sip:+121242415112@howtonix.com

NOTE: To get this to work correctly with Asterisk you need to add “promiscredir=yes” to the general section of your sip.conf

Opensips is one of the best solution that are present in opensource, it provide you ITSP level services on good hardware box, Single box configure with opensips can supports 5000-10000 calls at time, which it make any teleco to operate with more then 5-10 billion mins per year. Anyone can use it to support their bussiness which is incuring lot of cost due high hardware cost such as iSoftSwitch.

REQUIRMENTS:

1. gcc / suncc / icc : gcc >= 2.9x; 4.[012] recommended (it will work with older version but it might require some options tweaking for best performance)
2. bison or yacc (Berkley yacc)
3. flex
4. GNU make (on Linux this is the standard “make”, on FreeBSD and Solaris is called “gmake”) version >= 3.79.
5. sed and tr (used in the makefiles)
6. GNU tar (”gtar” on Solaris) and gzip if you want “make tar” to work
7. GNU install or BSD install (on Solaris “ginstall”) if you want “make install”, “make bin”, “make sunpkg” to work
8. openssl if you want to compile the TLS support
9. libsctp if you want to compile the SCTP support
10. libmysqlclient & libz (zlib) -libs and devel headers- if you want mysql DB support (the db_mysql module)
11. libpq / postgresql -libs and devel headers- if you want postgres DB support (the db_postgres module)
12. unixodbc -libs and devel headers- if you want unixodbc DB support (the db_unixodbc module)
13. libexpat if you want the jabber gateway support (the jabber module) or the XMPP gateway support
14. libxml2 if you want to use the cpl-c (Call Processing Language) or the presence modules (presence and pua*)
15. libradius-ng -libs and devel headers- if you want to use functionalities with radius support – authentication, accounting, group support, etc
16. unixodbc – libs and devel headers – if you want UNIXODBC support as DB underlayer
17. libxmlrpc-c3 – libs and devel headers – if you want to have XML-RPC support for the Management interface (MI)
18. libperl – libs and devel headers – if you want PERL connector to support perl scripting from you config file (perl module)
19. libsnmp9 – libs and devel headers – if you want SNMP client functionality (SNMP AgentX subagent) for opensips
20. libldap libs and devel headers v2.1 or greater – if you want LDAP support
21. libconfuse and devel headers – if you want to compile the carrierroute module

INSTALLATION

1. cd /usr/src/
2. Download opensips (Opensips 1.5 wget http://opensips.org/pub/opensips/1.5.0/src/opensips-1.5.0-tls_src.tar.gz)
3. tar -xzf  opensips-1.5.0-tls_src.tar.gz
4. make all
5. make install

Please put this following code in iptables script:

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 3.16.1.93 –sport 53 -d 0/0 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 7968 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 50000:59999 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 20000:20999 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 30000:30999 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 5061 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 1720 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 1719 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 1718 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 5061 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 8000:20000 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 50000:59999 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 20000:20999 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 30000:30999 -j ACCEPT

-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
## ftp
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

sipsak -F -vvv -u 500 -H 192.168.11.33 -l 5060 -s sip:192.168.11.52

tcpdump -i eth0 -n -s0 -v udp port 5060

Your free SIP Outbound Proxy Service, bypass local  ISPs’ blocking, start using your broadband phone.

http://freesps.googlepages.com/