I HAVE A DREAM Fail2Ban Hackers Permanent

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
While looking at logs, I notice that hackers regularly try to hit specific extensions. For example, 100, 101, 1000, 1001. So I had an idea ... what if I never use these extensions in my builds, and anytime anyone tries to register to these, I ban them PERMANENTLY. Then I thought, why not expand upon this idea. What if we setup a fictitious PBX whose sole purpose is to find out WHO hackers are.

This is my idea: Get a PBX setup and then monitor anyone that tries to register to it. Grab every one of the IP's that tries to register and add it to a blacklist table, let's call it NVblacklist. Then in the failban module that NV builds in every system, part of it will have the option to ban drop anything in the NVblacklist.
 

TheMole

Guru
Joined
Aug 28, 2008
Messages
96
Reaction score
9
i think at some point you'll be blacklisting half the internet. then you come to the conclusion that you should just employ whitelisting.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Whitelisting doesn't work for everyone. I service quite a few residential lines, and every so often, their IP's change. Having a good firewall in place and using fail2ban has worked well for me. I lock down Apache (that's where the real attacks come in) - and then Fail2ban does a good job on asterisk.
 

TheMole

Guru
Joined
Aug 28, 2008
Messages
96
Reaction score
9
I just cannot figure out why you need to have your asterisk box open to the world. Even with Fail2Ban.

get a good DDNS service, write a little script and run it every minute to watch for changes to the several IP addresses you maintain and then dynamically regenerate the firewall rules to allow that new IP address into your machine. instead of keeping a list of who you want to keep out, block everybody and keep a (shorter) list of who you want to let in.

even better, have people connect via a vpn.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
I just cannot figure out why you need to have your asterisk box open to the world. Even with Fail2Ban.


Cause that model just doesn't work for what I'm trying to do, and I'm sure many others. If you are in control of things and deal with computer people, that may be possible, but if for example you've got over 100 people (let's call them family members) with ATA's spread all over everywhere that use it for their home phone service and they know little more than it gets plugged in and it works, then this is very desirable.

For most PBX's - Yes - a VPN is the best method or any other type of complete lockdown, but its not applicable in all situations.
 

jeff.h

Guru
Joined
Dec 1, 2010
Messages
502
Reaction score
71
Cause that model just doesn't work for what I'm trying to do, and I'm sure many others. If you are in control of things and deal with computer people, that may be possible, but if for example you've got over 100 people (let's call them family members) with ATA's spread all over everywhere that use it for their home phone service and they know little more than it gets plugged in and it works, then this is very desirable.

For most PBX's - Yes - a VPN is the best method or any other type of complete lockdown, but its not applicable in all situations.


Travelin' Man and a DYN DNS account is your friend.
 

Fortel

Guru
Joined
Oct 19, 2007
Messages
122
Reaction score
4
A lot has been written about security, and there have been a lot of good, clever ideas to help in that regard. I help manage a friend's business PBX, and used to lose sleep because of security concerns.

There doesn't appear to be any one, ideal solution. But here is what has worked well for us:

Some time ago, Joe Roper suggested using an open-source SBC, and a reverse web proxy. This seems to be the most bullet-proof method to stop hacking. But it does add complexity- and additional points of failure to deal with.

If the SBC is not doable, then simply changing the SIP port to some non-standard number should greatly reduce the hammering on your system(s). This can be tough if there are many remote SIP devices and programming the port is out of reach. And some VoIP providers may not play with the non-standard port.

So, white-listing is probably the strongest solution, if you can pull it off. A good firewall is your best friend. Again, it's not always possible as IP addresses can change depending on the user base.

With more than a handful of remote users, the Session Border Controller is effective. The endpoints won't need reprogramming, which is nice. And then you can sleep... with one eye open...

Peter
 

smarks

Guru
Joined
Jan 7, 2015
Messages
116
Reaction score
26
A lot has been written about security, and there have been a lot of good, clever ideas to help in that regard. I help manage a friend's business PBX, and used to lose sleep because of security concerns.

There doesn't appear to be any one, ideal solution. But here is what has worked well for us:

Some time ago, Joe Roper suggested using an open-source SBC, and a reverse web proxy. This seems to be the most bullet-proof method to stop hacking. But it does add complexity- and additional points of failure to deal with.

If the SBC is not doable, then simply changing the SIP port to some non-standard number should greatly reduce the hammering on your system(s). This can be tough if there are many remote SIP devices and programming the port is out of reach. And some VoIP providers may not play with the non-standard port.

So, white-listing is probably the strongest solution, if you can pull it off. A good firewall is your best friend. Again, it's not always possible as IP addresses can change depending on the user base.

With more than a handful of remote users, the Session Border Controller is effective. The endpoints won't need reprogramming, which is nice. And then you can sleep... with one eye open...

Peter


Can you elaborate on this. By open source SBC are your referring to something like Kamailio and what specifically are you doing with it? Also what is the reverse web proxy accomplishing that you cannot do with Apache?
 

Fortel

Guru
Joined
Oct 19, 2007
Messages
122
Reaction score
4
Can you elaborate on this. By open source SBC are your referring to something like Kamailio and what specifically are you doing with it? Also what is the reverse web proxy accomplishing that you cannot do with Apache?

OpenSIPS, or Kamailio, et al, sitting in between a firewall / router and the PBX. So just signalling and RTP ports are forwarded to the SBC. The SBC is configured to route the phone registrations, etc, based on hostnames, to the PBX. To reach the web front end of the PBX, you'll need some type of reverse proxy to recognize the hostname request and forward that to the PBX. All of this is natted (ideally,) with limited port forwarding.

Search for Joe Roper's introduction to the concept- that's what spurred us.

Peter
 
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top