Hi
If you have to expose your Asterisk server to the Internet, and some people have to, or your Asterisk server is exposed the the internet with out you knowing about it, (
http://pbxinaflash.com/community/index.php?threads/yealink-security-concern.17524/#post-113019), then there are some measures you can take to block SIP attacks before fail2ban even gets a look at the logs.
One of the issues is that if you have a concerted attack on your system, Fail2Ban cannot keep up with the number of logs produced, and many thousands of attacks can be made before Fail2Ban kicks in.
SIP attacks are usually made from the following products:-
- friendly-scanner
- VaxSIPUserAgent
- sundayddr
- sipsak
- sipvicious
- iWar
- sip-scan
- sipcli
...and the nature of the people doing these attacks is they don't tend to hide the identity of the device doing the attack, so a simple set of firewall rules will stop these attacks in their tracks.
Code:
iptables -I INPUT -j DROP -p udp –dport 5060 -m string –string "insert above name here" –algo bm
e.g.
Code:
iptables -I INPUT -j DROP -p udp –dport 5060 -m string –string "friendly-scanner" –algo bm
and so on for each attack software listed above.
Yes, hackers can make changes to their config to change the name delivered, but they rarely do, and the number of attacks on your system will drop dramatically with these firewall rules.
Secondly, I'd take issue with the oft-repeated advice, Allow Anonymous Inbound SIP Calls to NO. This switch is not a magic button that will protect your system. What it does is change the destination context of all inbound calls that are not authenticated.
- No = send calls into context that plays "sorry this number is not in service", hangs up, logs the call to the CDR.
- Yes = Try and match DID number in inbound routes.
If you explicitly add all your DID numbers to inbound routes, then add a catch all DID with _. (underscore dot) then send this DID to the hangup destination, then only people who know your numbers can contact you.
So, if you would prefer to politely tell every chancer who is testing your system that "I'm sorry, that number is not in service", fill your CDR with unwanted entries, and place extra load on the server and bandwidth during an attack then choose Allow Anonymous Inbound SIP Calls = NO.
If you'd prefer to just hangup these calls, and not log them to CDR, then Allow Anonymous Inbound SIP Calls = Yes, and drop the call if you don't recognise the DID called, as described above.
Joe
PS - I've just written a blog entry for Asterisk security at
http://www.star2billing.com/securing-asterisk/, it's more aimed at people who do have to expose their systems to the Internet rather than those who have an office PBX tucked safely behind a firewall. (which is where it should be where possible)