FOOD FOR THOUGHT Best defense against SIP hackers

Hometech

Member
Joined
Mar 9, 2008
Messages
157
Reaction score
16
Location
Leo, IN
Hey I am getting constant attempts from who knows were tiring to connect as an incorrect extension to my asterisk. I have included a short log of what seems to always to be going on in the am hours. Realize that I have some outside extensions and a few mobile wifi clients that I need to let in.

All these attempts every min or two seem to be degrading my sip audio...getting choppy audio.

Any bright ideas on how I should combat this? Would changing the port from 5060 on the outside phones be a good deterrent?

I am currently runing asterisk in DMZ with Linux firewall on the PBX box.

log snip

[07:56:59 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"3017"<sip:[email protected]:5060>' failed for '163.172.114.34:15554' - Wrong password
[07:57:02 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"2980"<sip:[email protected]:5060>' failed for '163.172.114.34:52884' - Wrong password
[07:57:03 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"2957"<sip:[email protected]:5060>' failed for '163.172.114.34:26456' - Wrong password
[07:57:03 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"2959"<sip:[email protected]:5060>' failed for '163.172.114.34:56247' - Wrong password
[07:57:04 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"3020"<sip:[email protected]:5060>' failed for '163.172.114.34:22281' - Wrong password
[07:57:07 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"3022"<sip:[email protected]:5060>' failed for '163.172.114.34:14756' - Wrong password
[07:57:07 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"2983"<sip:[email protected]:5060>' failed for '163.172.114.34:8214' - Wrong password
[07:57:12 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"3025"<sip:[email protected]:5060>' failed for '163.172.114.34:58393' - Wrong password
[07:57:16 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"2985"<sip:[email protected]:5060>' failed for '163.172.114.34:16569' - Wrong password
[07:57:29 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"2988"<sip:[email protected]:5060>' failed for '163.172.114.34:58806' - Wrong password
[07:57:35 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"2990"<sip:[email protected]:5060>' failed for '163.172.114.34:26286' - Wrong password
[07:57:39 AM Feb 10 Fri 2017] NOTICE[2821] chan_sip.c: Registration from '"2993"<sip:[email protected]:5060>' failed for '163.172.114.34:15015' - Wrong password
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,541
Reaction score
415
Location
South Florida
The best idea is to use whitelist !! - Then they're out. Changing the port would help, certainly, but its only a temporary fix. Use whitelist - it reduces the traffic and logs on your server immensely.
 

Hometech

Member
Joined
Mar 9, 2008
Messages
157
Reaction score
16
Location
Leo, IN
I can do that with most connections from public side except for the mobile wifi phones.
 
Joined
Nov 14, 2008
Messages
1,401
Reaction score
319
Location
Warwick, NY
How about a firewall that blocks by countries. I use PfSense that has PFBlockerNG. Whitelists are fine but it doesn't stop the traffic hitting the box.
 
  • Like
Reactions: Jake

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
649
Reaction score
237
If ypu do a whois on the ip your approved clients appear at, there will be a netrange www.xxx.yyy.zzz - www.aaa.bbb.vcc or w.x.y.z/16 which is larger than the phone but smaller than the internet or s country, use that in your whitelist
 

Hometech

Member
Joined
Mar 9, 2008
Messages
157
Reaction score
16
Location
Leo, IN
ended up getting fail2ban working again. I had disabled it awhile back because of an issue I was having. will see how it does.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
649
Reaction score
237
Adding restrictions to your iptables is normally a good thing, fail2ban is thus a good thing, denying everyone and allowing only the goodguys pre-empifly is safer as a starting point.
 

billsimon

Experienced in Asterisk, FreePBX, and SIP
Joined
Jan 2, 2011
Messages
966
Reaction score
303
The best defense is a good offense. Get command of a Mirai botnet and unload 10 Tbps of junk traffic on any suspicious IP that sends SIP packets to your PBX. After a few minutes, they should stop.

Now for the serious answer. fail2ban is probably enough. Really, if you have decent SIP passwords, and as long as the attempts are not overwhelming your server or network, there is not really any threat from these "pokes." But you have to be sure your dialplan is secure and your passwords are strong.
 

Hometech

Member
Joined
Mar 9, 2008
Messages
157
Reaction score
16
Location
Leo, IN
So far Fail2ban looks like its doing a fine job. they were bogging down my PBX and causing Audio quaitly issues.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
649
Reaction score
237
The trouble with fail2ban native is that it operates on individual hosts, the op here was attacked by a host in the Tiscali network, 163.172.0.0/16
These attacks are common and often move between ip's in those well known cloud service providers, adding the "networks" of the hosts that fail2ban is easy and effective, a nice utility you can script with is whob, easily installed by following:-

http://pwhois.org/lft/

so

whob 163.172.114.34

will give you an idea, then use grep to get the prefix into an ipset that drops the network, soon you will have all the palestinians, OVH,Amazon, and Eastern Europeans just gone.

Perhaps start with:-

cat /var/log/fail2ban*|log|grep Ban|awk '{print $7}'|whob|grep Prefix|awk '{print $2}

I would build an whitelist ipset first similarly

rasterisk -x 'sip show peers'|awk '{print $2}'|sort -nu|egrep -v "Host|127\.0\.0\.1"|whob|grep Prefix |awk '{print $2}'


Just a concept that will take the load off fail2ban ( it probably won't work on containers though)

JM2CWAE
 
  • Like
Reactions: ostridge

jroper

Guru
Joined
Oct 20, 2007
Messages
3,833
Reaction score
71
Hi

These firewall rules will cut down this traffic tremendously:

Code:
#drop sipvicious attacks

iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sundayddr" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipsak" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipvicious" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "iWar" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sip-scan" --algo bm
#windows command name client sipcli used to scan as well.
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
Adding the following SIP settings will also help:

  • alwaysauthreject = yes; when the password is wrong, this says sends the reply “that extension does not exist” even if it does exist, the idea being that the hacker moves on to the next extension, then finally leaves your server for the next one.
  • Domain = your FQDN; this means that Asterisk will only allow registration if the domain is correct, registration is not allowed via IP address. The domain can be looked up remotely, so it is only a road hump, but does help protect against automated scanners. Replace your FQDN with your fully qualified domain name.
  • Complex secrets and passwords; Do note that some endpoints do not accept characters other than a-Z and 0-9.
  • Deny and Permit; Limiting the IP addresses that can connect to the PBX. e.g. if all your extensions are internal to the office network, and no one has to connect remotely, then you can Deny everything (deny = 0.0.0.0/0.0.0.0) and permit only your internal IP range, (permit = 192.168.1.0/255.255.255.0) or a single IP, 192.168.1.200/255.255.255.255
Rate Limiting
You can use iptables to limit the rate at which SIP messages can be sent from a single device, this gives less time for the attacker to do brute force attacks, and stops the load being deferred to your IDS system. Rules as follows could form a good basis.

Code:
iptables -A INPUT -p udp –dport 5060 -i eth0 -m state –state NEW -m recent –set
iptables -A INPUT -p udp –dport 5060 -i eth0 -m state –state NEW -m recent –rcheck –seconds 3600 –hitcount 100 -j DROP
iptables -A INPUT -p udp –dport 5060 -i eth0 -m state –state NEW -m recent –rcheck –seconds 600 –hitcount 20 -j DROP
iptables -A INPUT -p udp –dport 5060 -i eth0 -m state –state NEW -m recent –rcheck –seconds 300 –hitcount 10 -j DROP
iptables -A INPUT -p udp –dport 5060 -i eth0 -m state –state NEW -m recent –rcheck –seconds 180 –hitcount 5 -j DROP
iptables -A INPUT -p udp –dport 5060 -i eth0 -m state –state NEW -m recent –rcheck –seconds 60 –hitcount 3 -j DROP
This will drop registration attacks if they come in too fast, so normal phones should be fine as they do not produce too many registration attempts.

These tips come from a blog I wrote here - http://www.star2billing.com/securing-asterisk/

Joe

 

Hometech

Member
Joined
Mar 9, 2008
Messages
157
Reaction score
16
Location
Leo, IN
Tanks jroper I will get that implemented.

would some one share there fail2ban jail conf & asterisk filter I want to make sure I have everything correct to protect my PBX.
Thanks
 

ostridge

Guru
Joined
Jan 22, 2015
Messages
383
Reaction score
70
Location
UK
These firewall rules will cut down this traffic tremendously
Just tried adding those rules and also the rules to 'drop sipvicious attacks'
I even retyped the double quotes using nano
BUT I got several 10 sec warnings
Code:
******** 10-SECOND WARNING ALERT ***********
IPtables FQDN problem on line: 126
The unresolvable FQDN is .
This rule will be disabled to allow IPtables to start.
Check and correct line 127 in /etc/iptables/rules.v4.
******** 10-SECOND WARNING ALERT ***********
and the additions got #*** commented out

I put the rules below line 124 which is # End of Trusted Provider Section.
Perhaps someone knows where that went wrong? :banghead:

OK SOLVED
Start by an edit of /etc/iptables/rules.v4
Code:
nano /etc/iptables/rules.v4
Insert the following code after the line # End of Trusted Provider Section

Code:
# // drop sipvicious attacks  # credit http://www.star2billing.com/securing-asterisk/
-I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sundayddr" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipsak" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipvicious" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "iWar" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sip-scan" --algo bm
#windows command name client sipcli used to scan as well.
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
# // End drop sipvicious attacks
# // rate limiting            # credit http://www.star2billing.com/securing-asterisk/
-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --set
-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 100 -j DROP
-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 20 -j DROP
-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 10 -j DROP
-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 5 -j DROP
-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 3 -j DROP
# // End rate limiting
Then restart iptables
Code:
iptables-restart
 

Attachments

Last edited:

tbrummell

Guru
Joined
Jan 8, 2011
Messages
633
Reaction score
71
I would love to make this work on my current system as I do allow 5060 to the world, but every time I restart iptables it reloads Ward's original rules. In fact, between Webmin and "iptables -vL" they don't even list the same information. So I'm not sure what is even up with my rules. :(

Incredible PBX 13.13.1 for Scientific Linux
RAM:24MB Scientific Linux 6.7 Disk:6.9GB
Asterisk 13.13.1 Incredible GUI 12.0.39
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
633
Reaction score
71
I got a little further, now it's just the rate limiting rules that won't add. Looks to me they are not written correctly for my version of iptables (v1.4.7).
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,134
Reaction score
2,628
Travelin' Man 3 implements a rock-solid WhiteList with IPtables. Those not on your WhiteList can't even see your server much less access it. It's available for PIAF3 and its rolled into the install with all Incredible PBX platforms. PortKnocker makes it easy to add remote phones to the WhiteList without admin intervention.

If you use any product that includes FreePBX GUI components and directly expose UDP/TCP SIP or TCP 80 to the Internet, you are just asking for trouble. Don't take our word for it, read this article as well as ours:

VoIPtopia 2017: Choosing the Best, Free VoIP Platform

 
Last edited:

tbrummell

Guru
Joined
Jan 8, 2011
Messages
633
Reaction score
71
The only thing I have open to the world is 5060 and respective RTP ports. I know the risks. I have whitelisted IP's for management purposes, and as stated in other threads, with mobile phone SIP clients, whitelisting and port knocker just doesn't work.

Since adding Joe's string matches, fail2ban has been quiet, totally quiet (as has tailing \asterisk\full and capturing port 5060 traffic, no obscure SIP traffic). I'll do the FQDN match as soon as I figure out why my Aastra phones don't register with a FQDN. I'm thinking it's probably the fact I don't have a SRV record on my DNS servers. That is next on my list but my day job beckons.
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,364
Messages
137,343
Members
14,574
Latest member
ipv6freely