PIONEERS New SIP Firewall Design for Publicly-Accessible PBX

jerrm

Guru
Joined
Sep 23, 2015
Messages
490
Reaction score
202
If you do that (which is nice) you should add a sleep a bit in the outer loop or you are likely breaking the ipdeny.com rules.
Good point. Full disclosure - I don't use ipdeny.com and haven't looked at their terms.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
627
Reaction score
229
Then I further offer

#!/bin/bash
cd /tmp
wget -qO - http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz| tar zxf -
for i in is ru ps kp ua md nl fi
do /usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do echo "add -exist $i $j"; done
done|ipset restore
exit 0



Which runs faster , thanks @Jerry3716 , and doesn't clutter up /etc, (don't see the need to restart iptables or fail2ban , nor the use of wait)
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,927
Reaction score
2,572
Then I further offer

#!/bin/bash
cd /tmp
wget -qO - http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz| tar zxf -
for i in is ru ps kp ua md nl fi
do /usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do echo "add -exist $i $j"; done
done|ipset restore
exit 0



Which runs faster , thanks @Jerry3716 , and doesn't clutter up /etc, (don't see the need to restart iptables or fail2ban , nor the use of wait)
ipset restore hung forever on my test server.

Also found a bug for those using an earlier version of our iptables config file.

Issue the command:
Code:
grep "INPUT -j IPSPF" /etc/sysconfig/iptables
If you get a blank line, then issue the following fix:
Code:
sed -i 's|-A INPUT -j ASIP|-A INPUT -j IPSPF\n-A INPUT -j ASIP|' /etc/sysconfig/iptables
service iptables restart
service fail2ban restart
The bug caused the country blocks not to actually execute even though they showed as being loaded.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,927
Reaction score
2,572
If you find you are repeatedly seeing the same IP addresses blocked by Fail2Ban, one fix is to add your own ipset group:
Code:
/usr/sbin/ipset create -exist badguys hash:net
Then you can add IP addresses to the table like this:
Code:
/usr/sbin/ipset -A badguys 62.210.29.135
You can check the contents of the badguys table like this:
Code:
/usr/sbin/ipset list badguys
Finally, don't forget to add a new rule to /etc/sysconfig/iptables in the same section as the other country blocks:
Code:
-A IPSPF -m set --match-set badguys src -j DROP
# save the file and then...
service iptables restart
service fail2ban restart
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
490
Reaction score
202
We don't bother with per-country sets and keep the iptables rules clean with one single block-most-of-the-world set. At this point I'd probably be better off with a whitelist, but if it ain't broke....

And with all this talk - a general comment just to reiterate - admins need to first be comfortable with their firewall rules without geoblocking present.

Security through obscurity is not real security. Many dismiss it completely, but IMO geoblocking improves the odds, eliminates a ton of junk in the logs and hopefully makes any real problems easier to spot.
 
  • Like
Reactions: wardmundy

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
627
Reaction score
229
We don't bother with per-country sets and keep the iptables rules clean with one single block-most-of-the-world set. At this point I'd probably be better off with a whitelist, but if it ain't broke....

And with all this talk - a general comment just to reiterate - admins need to first be comfortable with their firewall rules without geoblocking present.

Security through obscurity is not real security. Many dismiss it completely, but IMO geoblocking improves the odds, eliminates a ton of junk in the logs and hopefully makes any real problems easier to spot.
for i in $(cat $( ls *.zone|egrep -v "[ca|us]" ))';[ do echo "add -exist restofworld $i";done |ipset restore

but you need maxelem to be 256k to get the whole set.

+1 on the admin bit, the Chinese universities now use OVH , Amazon etc al.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,927
Reaction score
2,572
Public server. SIP wide open. We're now on Day 3 without a single visit from a SIP bad guy.

Here's the Cliff's Notes version of how it works on KVM platforms:

1. Wide open SIP access, but block all access to server by IP address.
2. Assign separate FQDNs for SIP invites and SIP registrations.
3. Time restrict number of SIP accesses from same IP address.
4. Use ipset with IPtables to block all access from Top 8 attack countries.
5. Use custom ipset table to block frequent attackers not caught by #4.
6. Use Fail2Ban to block failed SIP invites/registrations after n attempts.
7. Block the usual script kiddies.


Stay tuned...
 
Last edited:
  • Like
Reactions: krzykat

w1ve

Guru
Joined
Nov 15, 2007
Messages
631
Reaction score
97
bad.png So, Ward .... Followed your open-sip article (very interested in this.) Built a 13-13 LEAN PBX on Vultr (KVM). Worked great until I rebooted the server: I am no iptables expert, al all. So don't know what went wrong here. Now I have no network access on the box (presumably because iptables is messed up.) Thoughts?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,927
Reaction score
2,572
@w1ve: Did you whitelist your IP address in Fail2Ban?? Use View Console in upper right of Vultr management screen to fix it.

Also unban your IP address if it's banned in iptables -nL listing:

fail2ban-client set apache-auth unbanip 173.93.238.181
fail2ban-client set asterisk unbanip 173.93.238.181
fail2ban-client set ssh unbanip 173.93.238.181
 

w1ve

Guru
Joined
Nov 15, 2007
Messages
631
Reaction score
97
This is not a problem of GETTING to the PBX: I cannot get out of the PBX.

IE: Check for updates does not work, status command hangs. ping 8.8.8.8 fails.

I did whitelist both my ip and a couple of my other PBXs.

I'm presuming it's the error on line 88 above?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,927
Reaction score
2,572
@w1ve: Have you tried adding a whitelist entry in extensions_override_freepbx.conf? Does that work??

exten => info,13,Goto(outbound-allroutes,18435551212,1)

My Automatic Update Utility works fine. My pbxstatus works fine. Ping is blocked by design but you can change it.

Try repeating the steps in Configuring IPtables for Public SIP Access.
 
Last edited:

w1ve

Guru
Joined
Nov 15, 2007
Messages
631
Reaction score
97
If networking not working, then of course then nothing else works.
IPTables got hosed for some reason when I rebooted
If I turn off iptables, networking works.
So, I'll rebuild based on your steps.
 
  • Like
Reactions: wardmundy

w1ve

Guru
Joined
Nov 15, 2007
Messages
631
Reaction score
97
@wardmundy So -- redid that stuff, network came back. So far so good. I made a copy of iptables so if it happens again, won't have to rebuild again. Rebooted server a few times
and seems to recover fine.

Now the problem is: I dial [email protected], and I get:

2019-02-07 14:11:10] WARNING[14331][C-00000003]: Ext. s:6 @ from-sip-external: "Rejecting unknown SIP connection from xxx.xxx.xxx.xxx

Yet, echo "allowguest=yes" >> /etc/asterisk/sip_general_custom.conf was done, and I confirmed the setting was on. Asterisk was restarted.

Still no go on SIP calls.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,927
Reaction score
2,572
@w1ve: Your example failure is showing an IP address failure: xxx.xxx.xxx.xxx. Access by IP address is blocked. You have to use an FQDN and insert it in the two places documented in the tutorial.

Using whatever FQDN you’ve chosen for SIP registrations, we’ll add an entry to /etc/asterisk/sip_custom.conf that looks like this: domain=hk76dl34z.yourdomain.com. That will block all SIP registration attempts except from that domain. It will not block SIP invitations! The next step will be to add a new [from-sip-external] context to extensions_override_freepbx.conf. Inside that context, we’ll specify the FQDN used for public SIP URI connections to your server, e.g. sip.yourdomain.com. This will block SIP invitations except SIP URIs containing that domain name.
 
Last edited:

w1ve

Guru
Joined
Nov 15, 2007
Messages
631
Reaction score
97
@w1ve: Your example failure is showing an IP address failure: xxx.xxx.xxx.xxx. Access by IP address is blocked. You have to use an FQDN and insert it in the two places documented in the tutorial.
@wardmundy,
I am calling as a random caller from [email protected]. I am calling [email protected]. mypbx.org is the FQDN of the open PBX (for non registrations) and sip.mypbx.org is the FQDN for registrations.

The IP you see from the log snippet is the IP of the caller, not the callee.

So this is why I'm asking. The whole point here is to allow a anonymous SIP safely, is it not?
 

Members online

No members online now.

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,262
Messages
136,419
Members
14,501
Latest member
yeoldroundabout