Ok, so maybe you want to limit the types of devices that connect.
This isn't perfect, only works for SIP on asterisk (not PJSIP yet)
its not so much the program that i"m posting here, as much as it is the bash script code that I wanted to remind myself how to do.
basically this bash script, if you kick it off will scan SIP extensions in asterisk, pull out their types an then ban the IP of any that aren't valid based on your criteria
So script kicks off, removes any previous known IPS that it would have blocked,
waits a few minutes based on your script input then, re-runs itself. The pause lets users who might have been banned the chance to reconnect with approved devices.
This isn't perfect, only works for SIP on asterisk (not PJSIP yet)
its not so much the program that i"m posting here, as much as it is the bash script code that I wanted to remind myself how to do.
basically this bash script, if you kick it off will scan SIP extensions in asterisk, pull out their types an then ban the IP of any that aren't valid based on your criteria
So script kicks off, removes any previous known IPS that it would have blocked,
waits a few minutes based on your script input then, re-runs itself. The pause lets users who might have been banned the chance to reconnect with approved devices.
#!/bin/bash
#temp directory and filename.
TempFileNameAndPath="/etc/asterisk/disallowedextensions.txt"
#this is the ALLOWED devices in your system
#if you just one, use "'DeviceName'"
#if multiple use "'Device1Name\|Device2Name'" and use the \| as a seperator
alloweddevices="'Bria'"
#number of minutes to pause after previous firewall bans are removed to allow new extensions to try and reconnect
pauseminute=0
#This lets you set an extension range that would be affected.
#for testing, set both values to match your test extension
lowestextension=3151
highestextension=3151
#this code removes any previous blocks the script put in.
sipphonesANDip="$TempFileNameAndPath"
while IFS= read -r line
do
extensionIP="$(cut -d' ' -f2 <<<"$line")"
FirewallCommand="fwconsole firewall del blacklist "$extensionIP""
eval "$FirewallCommand"
done < "$sipphonesANDip"
#delete the temp file, as we've cleared all users from firewall.
rm $TempFileNameAndPath
#pause script for X minutes. This will allow anyone who have been blocked by this script to get time to reconnect
sleep ${pauseminute}m
#this pulls all registered extensions in asterisk. Final output is the extension number and IP address.
sipphonesANDip="$(asterisk -rx 'sip show peers' | grep / | awk '{print $1,$2}' | awk 'BEGIN { FS = "/" } ; {print $2}')"
#now we parse the list of extensions and IPs to make sure they are valid. This should sort out SIP TRUNKS too
while read -r sipphonesANDip
do
#were going to make sure the extension is valid (sometimes they can be names like a trunk so we want to sift those out)
extensionnumber=$(echo $sipphonesANDip | awk '{print $1}')
#checking to see if the extension is an INTIGER.
if expr "$extensionnumber" : '-\?[0-9]\+$' >/dev/null
then
echo "$extensionnumber valid extension value"
else
echo "$extensionnumber invalid extension. Skipping."
continue
fi
#check to see if the number is within a valid range to work with that was set in the variables at the top
if [ "$extensionnumber" -le "$highestextension" ] && [ "$extensionnumber" -ge "$lowestextension" ]
then
echo "$extensionnumber IN RANGE";
else
echo "$extensionnumber OUT OF RANGE"
continue
fi
#this will remove extensions that have no IP assigned.
extensionIP=$(echo $sipphonesANDip | awk '{print $2}')
if [ "$extensionIP" = "(Unspecified)" ]
then
echo "$extensionIP is null"
continue
fi
#I have not worked out how to send a variable to the "asterisk -rx" command from bash. So did it using EVAL command.
#output looks like below and is stored in a temp file (assigned in the variable at the beginning). EVAL can't save to a STRING, so file it is. Now we query each registered extension in asterisk to get its USERAGENT value
#3151 10.1.210.33 Useragent : MicroSIP/3.19.28
command="asterisk -rx 'sip show peer "$extensionnumber"' | grep Useragent | grep -v "$alloweddevices" | sed 's/^/"$sipphonesANDip" /' >> "$TempFileNameAndPath""
eval "$command"
done <<<"$sipphonesANDip"
#now we take the temp file generated above, parse out the IP address and set it to be blocked in firewall
sipphonesANDip="$TempFileNameAndPath"
while IFS= read -r line
do
extensionIP="$(cut -d' ' -f2 <<<"$line")"
echo "$extensionIP"
FirewallCommand="fwconsole firewall add blacklist "$extensionIP""
#Comment out this next line if you want to test, but not apply any rules to the firewall
eval "$FirewallCommand"
done < "$sipphonesANDip"
No comments:
Post a Comment
Feel free to leave a comment! If you have any information that you think should be included, please do so here and I'll get it added in.