FOOD FOR THOUGHT Best defense against SIP hackers

[ostridge]

I got a little further, now it's just the rate limiting rules that won't add. Looks to me they are not written correctly for my version of iptables (v1.4.7).

Hi using the iptables command to add individual rules that you mention, will have thrown some shortcomings in the arguments used.
I found that the arguments as per the @jroper post ' -dport -state -rcheck -seconds -hitcount -set ' were typed with single '-' whereas double '--' worked for me;
It seems you need to substitute each of those arguments with one hyphen for two
' --dport --state --rcheck --seconds --hitcount --set' .

Having found that that worked I needed to do an edit of /etc/iptables/rules.v4 because the usual /sbin/iptables-save command was not much use according to @wardmundy where you have any added #comments and added with add-fqdn which include domain names and the like and which disappear during the save. The workaround being to edit /etc/iptables/rules.v4 where the same syntax seems to work but ommitting the preceding

 iptables

command.

So that was the reason for my post above.
When editing

nano /etc/iptables/rules.v4

do search for lines commented out with ' #*** ' and uncomment them. The commenting is done programatically by iptables for any rules that fail the checking and are disabled as stated in the 10 second warnings.

Hope that works
Regards

 

[tbrummell]

With the rate limiting rules, it appears to be the order of the options causing me issues. I was playing with it yesterday and got the first line to work by moving the options around, my notes are at work though. If I don't move the options around, I get this:

root@IncrediblePBX:~ $ iptables -A INPUT -p udp –-dport 5060 -i eth0 -m state –-state NEW -m recent –-set
Bad argument `–-dport'
Try `iptables -h' or 'iptables --help' for more information.

 

[ostridge]

@tbrummell You may have used double hyphens that were not correctly coded, - that is I notice in your code above the double hyphens are of differing length where one converted to hex becomes 2D but the other converts to E28093 which is not the same as the (minus sign).
I have added a file to my post above which is edited in nano on Rpi3, that is the text that worked for me.

You cannot rely on symbols remaining with the same encoding when formatted for web page in html and you need the ascii or utf-8 equivalent.

Adding to the above simple explanation you are probably using a US beyboard layout, and a god knows what Windows codepage; whereas I use UK layout and some other goddam codepage. But on Rpi3 I'm doing utf-8.

Confusing me: I also noticed that the rules.v4 file has the Windows style CR LF line endings and not the linux LF character

 

[tbrummell]

Success!

Copy and paste out of your file, resulted in the following @ the 2nd line of rate limiting:

root@IncrediblePBX:~ $ iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 100 -j DROP
iptables: Invalid argument. Run `dmesg' for more information.

Running dmesg revealed:

ip_tables: (C) 2000-2006 Netfilter Core Team
xt_recent: hitcount (100) is larger than packets to be remembered (20)

Some Google Foo:

http://stackoverflow.com/questions/26936653/ratelimiting-with-iptables-recent-gives-error

Changed to a max hitcount of 101, and now the commands are accepted. This polishes off my iptables set, thanks for the help!

 

[tbrummell]

And I guess the last, and quite useful, iptable rule to add would be a string to match my FQDN, no? Not just matching the FQDN within sip.conf, but dropping it before it even arrives. Agreed?
https://pbxinaflash.com/community/t...ot-directed-at-domain-name.17798/#post-114661

 

[Jake]

How about a firewall that blocks by countries. I use PfSense that has PFBlockerNG. Whitelists are fine but it doesn't stop the traffic hitting the box.

I use PfSense and love it. I run Snort that takes care of SIP attacks. I'm even more paranoid so I only use Open VPN to connect my devices to the PBX.

 

[tbrummell]

UPDATE: Fail2Ban has had to do *no* banning since setting this up. I've been keeping an eye on the logs and they are very quiet, with the occasional attempt being rejected due to the incorrect FQDN. I did not implement the rule mention in post #25 at this time.

 

[tbrummell]

@tbrummell You may have used double hyphens that were not correctly coded, - that is I notice in your code above the double hyphens are of differing length where one converted to hex becomes 2D but the other converts to E28093 which is not the same as the (minus sign).

Good catch on that, my aging eyes did not see that at all!