Ryan Malloy
c73fa9d3d1
Major features: - Extension enumeration detection with 3 detection algorithms: - Max unique extensions threshold (default: 20 in 5 min) - Sequential pattern detection (e.g., 100,101,102...) - Rapid-fire detection (many extensions in short window) - Prometheus metrics for all SIP Guardian operations - SQLite persistent storage for bans and attack history - Webhook notifications for ban/unban/suspicious events - GeoIP-based country blocking with continent shortcuts - Per-method rate limiting with token bucket algorithm Bug fixes: - Fix whitelist count always reporting zero in stats - Fix whitelisted connections metric never incrementing - Fix Caddyfile config not being applied to shared guardian New files: - enumeration.go: Extension enumeration detector - enumeration_test.go: 14 comprehensive unit tests - metrics.go: Prometheus metrics handler - storage.go: SQLite persistence layer - webhooks.go: Webhook notification system - geoip.go: MaxMind GeoIP integration - ratelimit.go: Per-method rate limiting Testing: - sandbox/ contains complete Docker Compose test environment - All 14 enumeration tests pass
108 lines
2.1 KiB
Caddyfile
108 lines
2.1 KiB
Caddyfile
# Sandbox Caddyfile for SIP Guardian Testing
|
|
#
|
|
# This configuration showcases all the new features:
|
|
# - Prometheus metrics endpoint
|
|
# - Rate limiting per method (built-in defaults)
|
|
# - Suspicious pattern detection
|
|
#
|
|
# Note: Storage and webhooks are configured in JSON config mode,
|
|
# as the L4 handler uses the shared global guardian instance
|
|
{
|
|
debug
|
|
|
|
admin 0.0.0.0:2019
|
|
|
|
layer4 {
|
|
# SIP over UDP
|
|
udp/:5060 {
|
|
@sip sip {
|
|
methods REGISTER INVITE OPTIONS ACK BYE CANCEL INFO NOTIFY SUBSCRIBE MESSAGE
|
|
}
|
|
|
|
route @sip {
|
|
sip_guardian {
|
|
max_failures 3 # Lower for faster testing
|
|
find_time 2m # Shorter window
|
|
ban_time 5m # Short bans for testing
|
|
|
|
# Whitelist legitimate test clients
|
|
whitelist 10.55.0.50/32 # client container
|
|
whitelist 10.55.0.51/32 # linphone container
|
|
|
|
# Enumeration detection (low thresholds for testing)
|
|
enumeration {
|
|
max_extensions 10
|
|
extension_window 2m
|
|
sequential_threshold 5
|
|
rapid_fire_count 8
|
|
rapid_fire_window 10s
|
|
ban_time 10m
|
|
exempt_extensions 100 200
|
|
}
|
|
}
|
|
proxy udp/{$SIP_UPSTREAM_HOST}:{$SIP_UPSTREAM_PORT}
|
|
}
|
|
|
|
# Unmatched traffic - drop silently
|
|
route {
|
|
}
|
|
}
|
|
|
|
# SIP over TCP
|
|
tcp/:5060 {
|
|
@sip sip
|
|
|
|
route @sip {
|
|
sip_guardian {
|
|
max_failures 3
|
|
find_time 2m
|
|
ban_time 5m
|
|
whitelist 10.55.0.50/32
|
|
whitelist 10.55.0.51/32
|
|
}
|
|
proxy tcp/{$SIP_UPSTREAM_HOST}:{$SIP_UPSTREAM_PORT}
|
|
}
|
|
}
|
|
|
|
# SIP over TLS
|
|
tcp/:5061 {
|
|
@sip sip
|
|
|
|
route @sip {
|
|
sip_guardian {
|
|
max_failures 3
|
|
find_time 2m
|
|
ban_time 5m
|
|
whitelist 10.55.0.50/32
|
|
whitelist 10.55.0.51/32
|
|
}
|
|
proxy tcp/{$SIP_UPSTREAM_HOST}:{$SIP_UPSTREAM_TLS_PORT}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
# Admin API and Metrics
|
|
:2020 {
|
|
# SIP Guardian admin endpoints
|
|
handle /api/sip-guardian/* {
|
|
sip_guardian_admin
|
|
}
|
|
|
|
# Prometheus metrics endpoint
|
|
handle /metrics {
|
|
sip_guardian_metrics
|
|
}
|
|
|
|
# Health check
|
|
handle /health {
|
|
respond "OK" 200
|
|
}
|
|
|
|
# Stats (alias for backwards compatibility)
|
|
handle /stats {
|
|
sip_guardian_admin
|
|
}
|
|
}
|