wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,201
- Reaction score
- 5,221
One of the serious drawbacks of the Travelin' Man 3 Firewall is that it forces you to maintain a whitelist for all of your users. It also makes it impossible to authorize anonymous SIP access for anybody or any extension. We've been playing around with an alternate approach after reading this blog post from Dr. Lin Song. There's an accompanying GitHub repo here. We've taken it a bit further by randomizing the SSH port and modifying sip-external-custom.
UPDATE: New post on Nerd Vittles supersedes the info below...
SIP Happens! Deploying a Publicly-Accessible Asterisk PBX
The way it works for SIP access goes like this. Anonymous SIP URI connections are allowed but only using the fully-qualified domain name (FQDN) of your server which must be inserted in line 10. Security through obscurity helps! SIP URI connections to the IP address of your server get disconnected immediately. In the modified sip-external-custom file, there is a whitelist of extensions that can be contacted anonymously below line 14. These could be actual extensions, e.g. a support desk. Or it could be an IVR, an Asterisk app, or whatever else you wish to expose for public access.
We couldn't get Lin Song's IPtables code blocking access by IP address to work so we've handled that in the sip_external-custom context below and in sip_custom.conf. We plan to write this up on Nerd Vittles next week, but I thought I'd throw it open for comment in case somebody catches the IPtables problem with the IP address blocking piece.
We've also retained a slightly modified iptables-custom whitelist so that individual IP addresses can be whitelisted to facilitate HTTP access and access from trunk providers such as Skyetel that don't support SIP trunk registration.
Here's what our modified sip-external-custom context looks like in extensions_override_freepbx.conf:
As @ou812 notes below, issuing the following commands will block all SIP registrations except those directed to your server's FQDN. This includes attempts to register to the IP address of your server.
Our PBX is publicly exposed at 107.173.67.56 and the bad guys have already found it. We'll keep you posted on their progress and ours.
Assuming you whitelisted the 3366 extension, calls to 3366@your-FQDN would go through, calls to 3366@server-ip-address would fail with baddomain, and calls to 701@your-FQDN would fail using the s extension code. As the code stands now, sip registration attempts to either the FQDN or IP address would be managed by your Fail2Ban rules which is why I'd like to get the iptables code working to at least block the IP address attempts.
More to come...
UPDATE: New post on Nerd Vittles supersedes the info below...
SIP Happens! Deploying a Publicly-Accessible Asterisk PBX
The way it works for SIP access goes like this. Anonymous SIP URI connections are allowed but only using the fully-qualified domain name (FQDN) of your server which must be inserted in line 10. Security through obscurity helps! SIP URI connections to the IP address of your server get disconnected immediately. In the modified sip-external-custom file, there is a whitelist of extensions that can be contacted anonymously below line 14. These could be actual extensions, e.g. a support desk. Or it could be an IVR, an Asterisk app, or whatever else you wish to expose for public access.
We couldn't get Lin Song's IPtables code blocking access by IP address to work so we've handled that in the sip_external-custom context below and in sip_custom.conf. We plan to write this up on Nerd Vittles next week, but I thought I'd throw it open for comment in case somebody catches the IPtables problem with the IP address blocking piece.
We've also retained a slightly modified iptables-custom whitelist so that individual IP addresses can be whitelisted to facilitate HTTP access and access from trunk providers such as Skyetel that don't support SIP trunk registration.
Here's what our modified sip-external-custom context looks like in extensions_override_freepbx.conf:
Code:
[from-sip-external]
exten => _.,1,NoOp(Domain: ${SIPDOMAIN})
exten => _.,2,NoOp(Channel: ${CHANNEL})
exten => _.,3,Set(TESTAT=${CUT(SIP_HEADER(From),@,2)})
exten => _.,4,NoOp(TESTAT: ${TESTAT})
exten => _.,5,GotoIf($["${TESTAT}" != ""]?hasat)
exten => _.,6,Set(FROM_IP=${CUT(CUT(SIP_HEADER(From),>,1),:,2)})
exten => _.,7,Goto(gotip)
exten => _.,8(hasat),Set(FROM_IP=${CUT(CUT(CUT(SIP_HEADER(From),@,2),>,1),:,1)})
exten => _.,9(gotip),NoOp(Gateway IP is ${FROM_IP})
exten => _.,10,GotoIf($["${SIPDOMAIN}"!="PBX-FQDN-GOES-HERE"]?baddomain)
exten => _.,11,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN})
exten => _.,12,Goto(${EXTEN},13)
exten => _.,13,Goto(s,1)
exten => _.,14(baddomain),Set(VIA2=${CUT(SIP_HEADER(Via),=,-1)})
exten => _.,15,Set(VIA3=${CUT(VIA2,\;,-1)})
exten => _.,16,Set(VIA4=${CUT(VIA3,\ ,2)})
exten => _.,17,Set(VIA5=${CUT(VIA4,\:,-1)})
exten => _.,18,GotoIf($["${VIA5}"="0.0.0.0"]?alldone)
exten => _.,19,NoOp(VIA: ${CUT(SIP_HEADER(Via),=,-1)})
exten => _.,20(alldone),Hangup
; WhiteListed extensions must all be XXXX,13,dialstring
exten => 3366,13,Dial(local/3366@from-internal)
exten => s,1,GotoIf($["${SIPLANG}"!=""]?setlanguage:checkanon)
exten => s,n(setlanguage),Set(CHANNEL(language)=${SIPLANG})
exten => s,n(checkanon),GotoIf($["${ALLOW_SIP_ANON}"!="yes"]?noanonymous)
exten => s,n,Goto(from-trunk,${DID},1)
exten => s,n(noanonymous),Set(TIMEOUT(absolute)=15)
exten => s,n,Log(WARNING,"Rejecting unknown SIP connection from ${CHANNEL(recvip)}")
exten => s,n,Answer
exten => s,n,Wait(2)
exten => s,n,Zapateller()
exten => s,n,Playback(ss-noservice)
exten => s,n,Congestion(3)
exten => s,n,Hangup
exten => h,1,Hangup
exten => i,1,Hangup
exten => t,1,Hangup
;-------------------------------------------------------------------------------
As @ou812 notes below, issuing the following commands will block all SIP registrations except those directed to your server's FQDN. This includes attempts to register to the IP address of your server.
Code:
echo "domain=servers-FQDN" >> /etc/asterisk/sip_custom.conf
amportal restart
Our PBX is publicly exposed at 107.173.67.56 and the bad guys have already found it. We'll keep you posted on their progress and ours.
Assuming you whitelisted the 3366 extension, calls to 3366@your-FQDN would go through, calls to 3366@server-ip-address would fail with baddomain, and calls to 701@your-FQDN would fail using the s extension code. As the code stands now, sip registration attempts to either the FQDN or IP address would be managed by your Fail2Ban rules which is why I'd like to get the iptables code working to at least block the IP address attempts.
More to come...
Last edited: