TIPS Help for blocking SIP attacks not blocked by fail2ban

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
498
Reaction score
73
Settings -> Asterisk Sip
set Allow SIP Guests and Allow Anonymous Inbound SIP Calls to NO
 

simplydrew

Member
Joined
Feb 19, 2012
Messages
92
Reaction score
4
Having the same problem on one of my hosted PBXs as of lately. Also getting the following in the logs:

Code:
[2015-10-13 20:21:27] WARNING[6833]: chan_sip.c:4082 retrans_pkt: Timeout on 8b1220da9a9b30645431dd92b97ee07a on non-critical invite transaction.
[2015-10-13 20:26:02] WARNING[6833]: chan_sip.c:4082 retrans_pkt: Timeout on 74f2eb93bf1a0dbf003416c48e2c5034 on non-critical invite transaction.
[2015-10-13 20:30:43] WARNING[6833]: chan_sip.c:4082 retrans_pkt: Timeout on f85703a558e05cda0dba89d9541efebf on non-critical invite transaction.
[2015-10-13 20:35:25] WARNING[6833]: chan_sip.c:4082 retrans_pkt: Timeout on e2410cc8e6de6e396c8c7105d7dbea02 on non-critical invite transaction.
[2015-10-13 20:40:14] WARNING[6833]: chan_sip.c:4082 retrans_pkt: Timeout on 216b116caefdedb0757af546367d1240 on non-critical invite transaction.
I've checked the Asterisk SIP settings and see that SIP Guests and Allow Anonymous Inbound SIP calls are both set to no. I also have iptables rules allowing only my providers IPs and the connecting client site on port 5060, so I'm a little stumped as to how this is even being allowed to hit Asterisk.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,162
Reaction score
2,632
Travelin' Man 3 IPtables WhiteList Firewall makes these problems disappear FOREVER.
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,833
Reaction score
71
Hi

If you have to expose your Asterisk server to the Internet, and some people have to, or your Asterisk server is exposed the the internet with out you knowing about it, (http://pbxinaflash.com/community/index.php?threads/yealink-security-concern.17524/#post-113019), then there are some measures you can take to block SIP attacks before fail2ban even gets a look at the logs.

One of the issues is that if you have a concerted attack on your system, Fail2Ban cannot keep up with the number of logs produced, and many thousands of attacks can be made before Fail2Ban kicks in.

SIP attacks are usually made from the following products:-
  • friendly-scanner
  • VaxSIPUserAgent
  • sundayddr
  • sipsak
  • sipvicious
  • iWar
  • sip-scan
  • sipcli
...and the nature of the people doing these attacks is they don't tend to hide the identity of the device doing the attack, so a simple set of firewall rules will stop these attacks in their tracks.
Code:
iptables -I INPUT -j DROP -p udp –dport 5060 -m string –string "insert above name here" –algo bm
e.g.
Code:
iptables -I INPUT -j DROP -p udp –dport 5060 -m string –string "friendly-scanner" –algo bm
and so on for each attack software listed above.

Yes, hackers can make changes to their config to change the name delivered, but they rarely do, and the number of attacks on your system will drop dramatically with these firewall rules.


Secondly, I'd take issue with the oft-repeated advice, Allow Anonymous Inbound SIP Calls to NO. This switch is not a magic button that will protect your system. What it does is change the destination context of all inbound calls that are not authenticated.
  • No = send calls into context that plays "sorry this number is not in service", hangs up, logs the call to the CDR.
  • Yes = Try and match DID number in inbound routes.
If you explicitly add all your DID numbers to inbound routes, then add a catch all DID with _. (underscore dot) then send this DID to the hangup destination, then only people who know your numbers can contact you.

So, if you would prefer to politely tell every chancer who is testing your system that "I'm sorry, that number is not in service", fill your CDR with unwanted entries, and place extra load on the server and bandwidth during an attack then choose Allow Anonymous Inbound SIP Calls = NO.

If you'd prefer to just hangup these calls, and not log them to CDR, then Allow Anonymous Inbound SIP Calls = Yes, and drop the call if you don't recognise the DID called, as described above.

Joe

PS - I've just written a blog entry for Asterisk security at http://www.star2billing.com/securing-asterisk/, it's more aimed at people who do have to expose their systems to the Internet rather than those who have an office PBX tucked safely behind a firewall. (which is where it should be where possible)
 

rchalk

Member
Joined
Feb 19, 2010
Messages
283
Reaction score
21
Location
N.E. GA, USA
Travelin' Man 3 IPtables WhiteList Firewall makes these problems disappear FOREVER.
I have been using Travelin' Man for over a year now, on several different RentPBX servers, and do not get any attacks. The beauty of this approach is that it accommodates dynamic IP addresses, remote extensions that change location like a laptop or smartphone with a SIP client, etc. Kudos to Ward for a very effective and flexible solution.
 
  • Like
Reactions: wardmundy

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,382
Messages
137,482
Members
14,581
Latest member
alma prado