Ryan Malloy
c73fa9d3d1
Major features: - Extension enumeration detection with 3 detection algorithms: - Max unique extensions threshold (default: 20 in 5 min) - Sequential pattern detection (e.g., 100,101,102...) - Rapid-fire detection (many extensions in short window) - Prometheus metrics for all SIP Guardian operations - SQLite persistent storage for bans and attack history - Webhook notifications for ban/unban/suspicious events - GeoIP-based country blocking with continent shortcuts - Per-method rate limiting with token bucket algorithm Bug fixes: - Fix whitelist count always reporting zero in stats - Fix whitelisted connections metric never incrementing - Fix Caddyfile config not being applied to shared guardian New files: - enumeration.go: Extension enumeration detector - enumeration_test.go: 14 comprehensive unit tests - metrics.go: Prometheus metrics handler - storage.go: SQLite persistence layer - webhooks.go: Webhook notification system - geoip.go: MaxMind GeoIP integration - ratelimit.go: Per-method rate limiting Testing: - sandbox/ contains complete Docker Compose test environment - All 14 enumeration tests pass
190 lines
6.0 KiB
Makefile
190 lines
6.0 KiB
Makefile
.PHONY: build run stop logs test clean dev sandbox-up sandbox-down sandbox-logs \
|
|
test-bruteforce test-scanner test-valid test-whitelist bans stats
|
|
|
|
# ============================================
|
|
# Main Development Targets
|
|
# ============================================
|
|
|
|
# Build the custom Caddy image
|
|
build:
|
|
docker compose build --no-cache
|
|
|
|
# Run the stack
|
|
run:
|
|
docker compose up -d
|
|
|
|
# Stop the stack
|
|
stop:
|
|
docker compose down
|
|
|
|
# View logs
|
|
logs:
|
|
docker compose logs -f
|
|
|
|
# Development mode - rebuild and run
|
|
dev: build run logs
|
|
|
|
# Clean up
|
|
clean:
|
|
docker compose down -v
|
|
docker rmi caddy-sip-guardian-caddy 2>/dev/null || true
|
|
|
|
# ============================================
|
|
# Sandbox Testing Environment
|
|
# ============================================
|
|
|
|
# Start the full testing sandbox (FreePBX + Caddy + test tools)
|
|
sandbox-up:
|
|
@echo "Starting SIP Guardian testing sandbox..."
|
|
cd sandbox && docker compose up -d
|
|
@echo ""
|
|
@echo "Sandbox is starting. FreePBX takes a few minutes to initialize."
|
|
@echo "Services:"
|
|
@echo " - Caddy (SIP Guardian): localhost:5060 (UDP/TCP), localhost:5061 (TLS)"
|
|
@echo " - Admin API: http://localhost:2020/api/sip-guardian/"
|
|
@echo " - FreePBX Web: http://localhost:80 (once ready)"
|
|
@echo ""
|
|
@echo "Run 'make sandbox-logs' to monitor startup"
|
|
|
|
# Stop sandbox
|
|
sandbox-down:
|
|
cd sandbox && docker compose down
|
|
|
|
# Stop sandbox and remove volumes
|
|
sandbox-clean:
|
|
cd sandbox && docker compose down -v
|
|
|
|
# View sandbox logs
|
|
sandbox-logs:
|
|
cd sandbox && docker compose logs -f
|
|
|
|
# View only Caddy logs
|
|
caddy-logs:
|
|
cd sandbox && docker compose logs -f caddy
|
|
|
|
# Start testing containers
|
|
sandbox-test-containers:
|
|
cd sandbox && docker compose --profile testing up -d
|
|
|
|
# ============================================
|
|
# Attack Simulation Tests
|
|
# ============================================
|
|
|
|
# Test brute force attack (should trigger ban)
|
|
test-bruteforce:
|
|
@echo "Starting brute force simulation..."
|
|
cd sandbox && docker compose --profile testing up -d bruteforcer
|
|
cd sandbox && docker compose exec bruteforcer python /scripts/bruteforce.py caddy -e 100-105 -c 5 -d 0.2
|
|
@echo ""
|
|
@echo "Check ban list:"
|
|
@curl -s http://localhost:2020/api/sip-guardian/bans | jq .
|
|
|
|
# Test scanner detection (sipvicious patterns)
|
|
test-scanner:
|
|
@echo "Starting scanner simulation..."
|
|
cd sandbox && docker compose --profile testing up -d attacker
|
|
cd sandbox && docker compose exec attacker bash -c "pip install -q sipvicious && sipvicious_svwar -e100-110 caddy"
|
|
@echo ""
|
|
@echo "Check ban list:"
|
|
@curl -s http://localhost:2020/api/sip-guardian/bans | jq .
|
|
|
|
# Test valid registration (should NOT be blocked)
|
|
test-valid:
|
|
@echo "Testing valid registration..."
|
|
cd sandbox && docker compose --profile testing up -d client
|
|
cd sandbox && docker compose exec client python3 /scripts/valid_register.py caddy -e 100 -s password123 -r 3
|
|
@echo ""
|
|
@echo "Stats (should show no bans for legitimate client):"
|
|
@curl -s http://localhost:2020/api/sip-guardian/stats | jq .
|
|
|
|
# Test whitelist functionality
|
|
test-whitelist:
|
|
@echo "Testing whitelist bypass..."
|
|
@echo "Whitelisted client (172.28.0.50) sending many requests:"
|
|
cd sandbox && docker compose --profile testing up -d client
|
|
cd sandbox && docker compose exec client sh -c 'for i in $$(seq 1 20); do echo -e "REGISTER sip:caddy SIP/2.0\r\n\r\n" | nc -u -w1 caddy 5060; done'
|
|
@echo ""
|
|
@echo "Ban list (should NOT contain 172.28.0.50):"
|
|
@curl -s http://localhost:2020/api/sip-guardian/bans | jq .
|
|
|
|
# Send raw SIP OPTIONS (quick test)
|
|
test-sip-options:
|
|
@echo "Sending SIP OPTIONS request..."
|
|
@echo -e "OPTIONS sip:test@localhost SIP/2.0\r\nVia: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK-test\r\nFrom: <sip:test@localhost>;tag=123\r\nTo: <sip:test@localhost>\r\nCall-ID: test-call@localhost\r\nCSeq: 1 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\n\r\n" | nc -u -w2 localhost 5060
|
|
|
|
# ============================================
|
|
# Admin API Operations
|
|
# ============================================
|
|
|
|
# Check ban list via admin API
|
|
bans:
|
|
@curl -s http://localhost:2020/api/sip-guardian/bans | jq .
|
|
|
|
# View stats
|
|
stats:
|
|
@curl -s http://localhost:2020/api/sip-guardian/stats | jq .
|
|
|
|
# Add test ban
|
|
test-ban:
|
|
@curl -X POST http://localhost:2020/api/sip-guardian/ban/192.168.1.100 \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"reason": "test_ban"}' | jq .
|
|
|
|
# Remove test ban
|
|
test-unban:
|
|
@curl -X POST http://localhost:2020/api/sip-guardian/unban/192.168.1.100 | jq .
|
|
|
|
# Health check
|
|
health:
|
|
@curl -s http://localhost:2020/health
|
|
|
|
# ============================================
|
|
# Debugging
|
|
# ============================================
|
|
|
|
# Start tcpdump container to capture SIP traffic
|
|
tcpdump:
|
|
cd sandbox && docker compose --profile debug up -d tcpdump
|
|
cd sandbox && docker compose logs -f tcpdump
|
|
|
|
# Shell into Caddy container
|
|
caddy-shell:
|
|
cd sandbox && docker compose exec caddy sh
|
|
|
|
# Shell into FreePBX container
|
|
freepbx-shell:
|
|
cd sandbox && docker compose exec freepbx bash
|
|
|
|
# View Caddy config
|
|
caddy-config:
|
|
@curl -s http://localhost:2019/config/ | jq .
|
|
|
|
# ============================================
|
|
# Help
|
|
# ============================================
|
|
|
|
help:
|
|
@echo "Caddy SIP Guardian - Development Makefile"
|
|
@echo ""
|
|
@echo "Main targets:"
|
|
@echo " build - Build Docker image"
|
|
@echo " dev - Build, run, and tail logs"
|
|
@echo " clean - Stop and remove volumes"
|
|
@echo ""
|
|
@echo "Sandbox targets:"
|
|
@echo " sandbox-up - Start full testing sandbox (FreePBX + Caddy)"
|
|
@echo " sandbox-down - Stop sandbox"
|
|
@echo " sandbox-logs - View sandbox logs"
|
|
@echo ""
|
|
@echo "Test targets:"
|
|
@echo " test-bruteforce - Simulate brute force attack (should ban)"
|
|
@echo " test-scanner - Simulate sipvicious scanner (should ban)"
|
|
@echo " test-valid - Test legitimate registration (should pass)"
|
|
@echo " test-whitelist - Test whitelist bypass"
|
|
@echo ""
|
|
@echo "Admin targets:"
|
|
@echo " bans - List banned IPs"
|
|
@echo " stats - View statistics"
|
|
@echo " test-ban - Add test ban"
|
|
@echo " test-unban - Remove test ban"
|