Monday, August 12, 2019

Howto block H.323 spam calls with fail2ban

When you run the GNU Gatekeeper, you can block spam calls from the well known bots ("MERA RU", "SimpleOPAL" etc.) eg. using a small LUA script in your config.

But that alone doesn't stop the load on the server, because often these bots keep on making calls.

Fail2ban to the rescue!

With this filter definition in /etc/fail2ban/filter.d/gnugk.conf you can check fro rejected calls:

[Definition]
failregex = Dropping call CRV=[0-9]+ from <HOST>:[0-9]+ due to Setup authentication failure
ignoreregex =



And then you can add this jail definition to /etc/fail2ban/jail.local to block the IP:

[gnugk]
enabled  = true
logpath  = /var/log/gnugk.log
filter   = gnugk
bantime  = 6000
maxretry = 2
action   = iptables[name=GnuGk, port=1720, protocol=tcp]



Voila!

Friday, July 26, 2019

GNU Gatekeeper 5.3 released

I have just released GNU Gatekeeper version 5.3.

You can download it from https://www.gnugk.org/h323download.html

This release has a number of new features as well as some important bug
fixes.

Whats new ?

  • LRQ loop detection to optimize calls flows between multiple neighbor gatekeepers This new feature has the potential to significantly reduce the load on all gatekeepers and prevent "LRQ storms".
  • new routing policy to set call destinations by querying HTTP or REST servers, see [Routing::Http]
  • much improved support for SNMP
  • important bug fix for TLS encryption of signaling channels
  • important bug fixes for H.460.18 NAT traversal (for H.245 tunneling and for multi-homed servers)
  • performance optimization: this version can handle 5-10% more proxied  calls on the same hardware
  • performance optimization: re-authenticate lightweight, additive registrations only when new aliases differ. This significantly reduces the load on password databases.

Enjoy!


Full change log:

- BUGFIX(ProxyChannel.cxx) don't send H.245 address to tunneling
  H.460.18 endpoint, breaks call when H.245 multiplexing
- performance optimization: 5% faster UDP handling
- changed default: [SNMP] Implementation=PTlib
- remove unfinished Windows-SNMP implementation, use PTLib-SNMP on Windows
- support SET and GET-NEXT in PTLib-SNMP
- support SNMP sysUpTime when running as standalone agent
- BUGFIX(configure.in) LARGE_FDSET defaults to off
- new SNMP OID 1.3.6.1.4.1.27938.11.1.9 to query total bandwidth allocated to ongoing calls
- BUGFIX(ProxyChannel.cxx) fix hangup when making many TLS calls quickly one after another
- BUGFIX(RasSrv.cxx) don't require H.460.22 parameters in ARQs
- BUGFIX(ProxyChannel.cxx) fix TLS without LARGE_FDSET
- BUGFIX(ProxyChannel.cxx) don't send H.460.22 priority field in SCI
- BUGFIX(gkauth.cxx) free memory from cached and expired passwords
- re-authenticate lightweight, additive registrations only when new aliases differ
- remove switch [Proxy]DisableRTPQueueing, always disabled now
- new routing policy: http with config section [Routing::Http]
- BUGFIX(ProxyChannel.cxx) fix H.460.18 on multi-homed servers (SCI comes from the correct IP now)
- new switch to disable SNMP traps [SNMP] EnableTraps=0
- BUGFIX(ProxyChannel.cxx) don't throw SNMP trap on H.245 connection errors
  (causes crash under load with Net-SNMP)
- BUGFIX(snmp.cxx) shutdown GnuGk when SNMP agent can't be started
- BUGFIX(snmp.cxx) protect NetSNMP library calls with mutex
- changed default: ForwardResponse now defaults to 1 in [RasSrv::LRQFeatures] and [Neighbor::...]
- new feature: loop detection for LRQs [RasSrv::LRQFeatures] LoopDetection=1
- BUGFIX(Neighbor.cxx) some settings in [RasSrv::LRQFeatures] were ignored if not set in [Neighbor::...]

Wednesday, June 5, 2019

Celebrating 20 Years of GnuGk

20 years

20 years ago, in June 1999, I released the first version of the GNU Gatekeeper. Back then we still called it "OpenH323 Gatekeeper".

The first version was very simple and only supported RAS and what we call 'direct mode' today, but it still seems useful to people and within a year it grew into a tool that people used in production.

I quit my day job in 2003 to work full time on GnuGk and it has feed the family ever since. I am still amazed how well it works to give software away for free. How many people and companies contribute and give feedback and how many are willing to pay for support or new
features.

I want to thank everybody who used it, provided feedback, bug fixes and ideas to make it into the great software that it is today!

We are not stopping here, the next release is already underway with many improvements and new features. Watch for it!

Happy Birthday GnuGk!

Monday, March 18, 2019

GNU Gatekeeper 5.2 released

This release that has a rewritten networking implementation (aka
"large-fdset") that allows GnuGk to scale to higher numbers of calls
per server than previous versions.

This new implementation replaces the old hack to extend the select()
system call by using poll() which enables GnuGk to handle huge numbers
of sockets at the same time. The new implementation also works on
Windows, but has been tested mostly on the different Unix versions we
support.

Please note that the relevant configure option when comping GnuGk
source code has changed to --enable-large-fdset. There is no need to
specify a maximum number of sockets any more.

This release also has a few bug fixes, eg. for using LUA scripts with
shared libraries and for memory leaks in the error handling of H.235
password authentication.


Whats new ?
  • re-implement LARGE_FDSET using poll(), enable with configure option --enable-large-fdset
  • ExternalIP is automatically added to the default domains
  • support running LUA scripts that require dynamic libraries
  • change default for [TLS] CipherList= to allow elliptical curve ciphers
  • BUGFIX(gkauth.h) fix memory leak in H.235 password auth
  • BUGFIX(gkacct.cxx) set known, but unavailable accounting parameters to empty string
  • BUGFIX(ProxyChannel.cxx) fix setting UDP source IP on Windows when compiled for Vista or higher

You can download it from https://www.gnugk.org/h323download.html

Friday, January 4, 2019

GNU Gatekeeper 5.1 is out

The main new feature in this release is H.245 multiplexing.
Together with the long supported RTP multiplexing it allows GnuGk to handle a large amount of concurrent calls from H.460 endpoints using just 5 ports total.

Whats new ?
  • support for H.245 multiplexing with H.460.18: [RoutedMode] EnableH245Multiplexing=1, H245MultiplexPort=1722
  • improved interop with Lifesize Icon (H.235), Scopia VC240 (H.460.18) and Yealink Mobile (H.239 and H.460.19)
  • improved detection of neighbor gatekeeper availability
  • public IP detection for Google Cloud
  • new feature to let GnuGk send an event if port detection fails

Bug fixes:

  • allow ommitting Host= switch in Neighbor section for H.460.18 clients
  • fix sending of queued H.245 messages
  • update RAS port when NAT mapping for H.460.18 endpoint changes
  • fix H.245 tunneling translation with H.460.18 endpoints
  • always send genericIndication to traversal server gatekeeper
  • don't include 'bearer service changed' in keep-alive Notify
  • fix building Status and StatusInquiry keep-alives
  • fix check for librabbitmq
  • Solaris 11 compile fix
  • better OLC sessionType matching (fix for Yealink H.239)
  • fix handling aliases of type email_ID
You can download it from https://www.gnugk.org/h323download.html

Enjoy!

Friday, August 17, 2018

GNU Gatekeeper 5.0 released

I'm happy to announce the release of GNU Gatekeeper version 5.0.

This version has new features and a few bug fixes. You can download it from https://www.gnugk.org/h323download.html

Whats new ?

  • support for Azure and Alibaba Cloud in addition to AWS
  • performance optimizations, especially for multiplexed RTP and LUA
  • compatible with OpenSSL 1.1.x
  • switch to translate Facility transfers into gatekeeper TCS0 reroutes

There were also a number of bug fixes, please see changes.txt for
details.

Enjoy!

Thursday, April 5, 2018

GNU Gatekeeper 4.9 released

This version has new features and a few bug fixes. You can  download it from
https://www.gnugk.org/h323download.html

Whats new ?

We have 2 new accounting modules: HtttpAcct and AMQPAcct that allow
you to send accounting events via HTTP GET or POST to a web service
or push them into a RabbitMQ queue.

There are also many new accounting placeholders that you can use with
any of the accounting modules and there is a new accounting event
'reject' to track calls rejected with ARJ that went unnoticed before.

The new RTP inactivity checking allows you to drop calls if there
wasn't any RTP activity for a defined amount of time.

GeoIP authentication has been significantly updated to support all
RAS and all Q.931 messages and to support the new Maxmind database
format (GeoIP2).

There were also a few bug fixes:
  • fix crash while handling RTP packets
  • fix disconnecting unregistered endpoints
  • fix crash in some Avaya endpoints when receiving GCF with a gatekeeperIdentifier
  • fix crash when using IPv6
  • fix handling of CloseLogicalChannel