rsp2k/caddy-sip-guardian
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10 Commits 1 Branch 0 Tags
Commit Graph

10 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ryan Malloy
f76946fc41 Add SIP topology hiding feature (B2BUA-lite) 
Implements RFC 3261 compliant topology hiding to protect internal
infrastructure from external attackers:

New files:
- sipmsg.go: SIP message parsing/serialization with full header support
- sipheaders.go: Via, Contact, From/To header parsing with compact forms
- dialog_state.go: Dialog and transaction state management for response correlation
- topology.go: TopologyHider handler for caddy-l4 integration
- topology_test.go: Comprehensive unit tests (26 new tests, 60 total)

Features:
- Via header insertion (proxy adds own Via, pops on response)
- Contact header rewriting (hide internal IPs behind proxy address)
- Sensitive header stripping (P-Asserted-Identity, Server, etc.)
- Call-ID anonymization (optional)
- Private IP masking in all headers
- Dialog state tracking for stateful response routing
- Transaction state for stateless operation

Caddyfile configuration:
  sip_topology_hider {
    proxy_host 203.0.113.1
    proxy_port 5060
    upstream udp/192.168.1.100:5060
    rewrite_via
    rewrite_contact
    strip_headers P-Preferred-Identity Server
  }
 2025-12-07 19:02:50 -07:00
Ryan Malloy
976fdf53a5 Add SIP message validation feature 
Implements RFC 3261 compliance checking and security validation:

- Three validation modes: permissive (default), strict, paranoid
- Critical checks: null bytes, binary injection (immediate ban)
- RFC compliance: required headers (Via, From, To, Call-ID, CSeq, Max-Forwards)
- Format validation: CSeq range, Content-Length, Via branch format
- Paranoid mode: SQL injection patterns, excessive headers, long values
- Compact header form support (v, f, t, i, l, etc.)

Caddyfile configuration:
  validation {
      enabled true
      mode permissive
      max_message_size 65535
      ban_on_null_bytes true
      ban_on_binary_injection true
      disabled_rules via_invalid_branch
  }

New Prometheus metrics:
- sip_guardian_validation_violations_total{rule}
- sip_guardian_validation_results_total{result}
- sip_guardian_message_size_bytes (histogram)

Includes comprehensive unit tests covering all validation scenarios.
 2025-12-07 15:57:26 -07:00
Ryan Malloy
95a794ba69 Fix enumeration config initialization and add test script 
- Fix SetEnumerationConfig to create detector if not exists
  Previously, the config would be silently discarded if called before
  the detector was lazily initialized by GetEnumerationDetector

- Add test_enumeration.py script for sandbox testing
  Includes fire-and-forget mode (--no-wait) for proper scanner simulation
 2025-12-07 15:39:30 -07:00
Ryan Malloy
c73fa9d3d1 Add extension enumeration detection and comprehensive SIP protection 
Major features:
- Extension enumeration detection with 3 detection algorithms:
  - Max unique extensions threshold (default: 20 in 5 min)
  - Sequential pattern detection (e.g., 100,101,102...)
  - Rapid-fire detection (many extensions in short window)
- Prometheus metrics for all SIP Guardian operations
- SQLite persistent storage for bans and attack history
- Webhook notifications for ban/unban/suspicious events
- GeoIP-based country blocking with continent shortcuts
- Per-method rate limiting with token bucket algorithm

Bug fixes:
- Fix whitelist count always reporting zero in stats
- Fix whitelisted connections metric never incrementing
- Fix Caddyfile config not being applied to shared guardian

New files:
- enumeration.go: Extension enumeration detector
- enumeration_test.go: 14 comprehensive unit tests
- metrics.go: Prometheus metrics handler
- storage.go: SQLite persistence layer
- webhooks.go: Webhook notification system
- geoip.go: MaxMind GeoIP integration
- ratelimit.go: Per-method rate limiting

Testing:
- sandbox/ contains complete Docker Compose test environment
- All 14 enumeration tests pass
 2025-12-07 15:22:28 -07:00
Ryan Malloy
0b0fb53c9c Add Caddyfile support for sip_guardian_admin HTTP handler 
Register handler directive with httpcaddyfile and implement
UnmarshalCaddyfile to enable Caddyfile configuration syntax.
 2025-12-07 10:37:16 -07:00
Ryan Malloy
b5fa007d6e Add Caddyfile unmarshaler support for SIPMatcher and SIPHandler 
The layer4 matchers and handlers must implement caddyfile.Unmarshaler
to be usable in Caddyfile syntax. This enables proper parsing of:
- @sip sip { methods ... } matchers
- sip_guardian { ... } handlers
 2025-12-07 10:23:38 -07:00
Ryan Malloy
2315989ca7 Fix module path to use git.supported.systems 2025-12-07 10:10:33 -07:00
Ryan Malloy
a62d1b4064 Fix Caddyfile layer4 network address syntax 
Update to use correct Caddy network address format:
- network/address instead of address/network
- udp/:5060 instead of :5060/udp
- Remove invalid tls subdirective from proxy handler
 2025-12-06 16:52:10 -07:00
Ryan Malloy
500185e692 Update module path to git.supported.systems 2025-12-06 16:39:18 -07:00
Ryan Malloy
1ba05e160c Initial commit: Caddy SIP Guardian module 
Layer 4 SIP protection with:
- SIP traffic matching (REGISTER, INVITE, etc.)
- Rate limiting and automatic IP banning
- Attack pattern detection (sipvicious, friendly-scanner)
- CIDR whitelisting
- Admin API for ban management
 2025-12-06 16:38:07 -07:00