Page MenuHomePhabricator

SIP related functionality in VyOS
Closed, ResolvedPublic

Asked by syncer on Mar 26 2016, 12:23 PM.

Details

We looking to add some SIP related functionality to VyOS,
it will not be full featured SoftSwitch, rather it will be some basic useful functionality

  • sip bot brute-force protection for PBX/SoftSwitch
  • NAT helper
  • etc.

It will be great to hear from community some feedback, not all using VoIP but most probably many of us

Thanks!

Answers

mickvav
Updated 1,268 Days Ago

Well, I'm interested, can share some firewall-related code and will test this functionality, when ready.

I have (almost) the following code in my self-made iptables script:

$ipset create siphackers hash:net
$ipset create oursipservers hash:ip
$ipset create sipwhitelist hash:ip
$iptables -N FWKillSipHackers
$iptables -F FWKillSipHackers
$iptables -A FWKillSipHackers -m set --match-set sipwhitelist src -j ACCEPT
$iptables -A FWKillSipHackers -m set --match-set siphackers src -j DROP
$iptables -A FWKillSipHackers -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -m recent --set --name SIP --rsource
$iptables -A FWKillSipHackers -p udp --dport 5060 -m recent --update --seconds 10 --hitcount 2 --name SIP -j SET --add-set siphackers src
$iptables -A FWKillSipHackers -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FWKillSipHackers -p udp --dport 5060 -m recent --set --name SIP
$iptables -A FWKillSipHackers -j RETURN
$iptables -I FORWARD -m set --match-set oursipservers dst -j FWKillSipHackers

It bans everybody, who is not listed in whitelist AND sends more than 2 registration attempts in 10 seconds forever.
NB: it requires iptables module recent, so iptables extensions should be available.

Boltsie
Updated 1,268 Days Ago

I think having the basics for an initial release to have users familiarized would be a good addition :)

Itty
Updated 1,262 Days Ago

In SIP terms I don't know if that is really needed. Typically when most people purchase a SIP trunk for any business they should really place an SBC inside the network to receive the SIP trunk and terminate the SIP trunk then and there and resend it internally. By using SSL certs in the device/VM this works the same as a reverse proxy for SIP and allows for the most secure SIP scenarios I've seen yet and they don't need any firewall or NAT configuration (usually).

An example of a good but free (one each) to test with with EasySBC. They offer ESXi OVF deployment as well which helps for testing.

syncer
Updated 1,175 Days Ago

This will be considered as new features in 1.2.x

New Answer

Answer

This question has been marked as closed, but you can still leave a new answer.