NEW Safely Deploy Asterisk on Internet

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Following 4 months of attack-free testing, we've written a new article with some enhancements for those that want to deploy Incredible PBX on the public Internet without the traditional Travelin' Man 3 firewall whitelist. Suggestions/tweaks/comments are welcomed!

p.s. Finally found something that CloudAtCost was good for. :death:

Safely Deploying Incredible PBX on the Wide Open Internet

D8EVy4xXUAA7XtR.png
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Excellent write up. Even for those that use whitelist, this gives a more thorough understanding of what goes on with the SIP packets and the methods that can be used to help mitigate any unauthorized hacking attempts to ones PBX. I note that you have a honeypot DNS and its obvious that you can come up with a nice list of bad guys. "We’ve now found that ${SIPURI} holds the caller’s true identity so we’ve updated the code accordingly. Whether to permanently block these guys is completely up to you. " ... have you thought any about compiling a database of these and coming up with an unofficial "Bad Guys" list that could be further used to mitigate potential ingress into ones servers?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Already working on the Bad Guys list which is included in the OpenSIPS build. Interestingly, it's pretty consistent across several honeypots we have out there. Just glad I finally found a use for all that wasted horsepower at CloudAtCost. I'll try to write it up for next week. In the meantime, I've quietly snuck it into the existing tutorial. Just search for SIPFLOOD in the article to see where the additions have been added. Keep in mind that this only works on KVM platforms, not OpenVZ.
 
Last edited:

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
Already working on the Bad Guys list which is included in the OpenSIPS build. Interestingly, it's pretty consistent across several honeypots we have out there. Just glad I finally found a use for all that wasted horsepower at CloudAtCost. I'll try to write it up for next week. In the meantime, I've quietly snuck it into the existing tutorial. Just search for SIPFLOOD in the article to see where the additions have been added. Keep in mind that this only works on KVM platforms, not OpenVZ.
It's been mentioned before, but www.voipbl.org has an extensive SIP specific list. I think you can set up fail2ban to report your bad guys IPs so they will get added to voipbl.org's list.

If maintaining your own list, you might get to the point you want to use http://cidrmerge.sourceforge.net/ to shrink the list. Debian has an aggregate package that does the same thing, but cidrmerge is lightning fast. What might take aggregate 10+ minutes is processed in under a second. My block most of the world country list is 240+K lines, running through cidrmerge reduces it to just under 47K lines in about 1/10 of a second.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Just a point of interest, has anyone here every only allowed "domain=somerandonstuff" in


/etc/asterisk/sip_general_custom.conf

changed their chan_sip port to anything outside 5000-5999, set there phones to register to that exten@somerandonstuff(colon)port and only allow 5060 through their firewall apart from the recalitrant trunk providers if necessary?

It is trivial and you can watch sngrep showing anything more than 1 on the messages column for months at a time (sngrep looks at traffic before iptables, (I bet you will see the guys from Iceland and Holland for ever ;-) ) but never see anything in asterisk.

I doubt whether you will need travellingman or anything else

Any Takers?
 
Last edited:

kyle95wm

Phone Genius Owner
Joined
Apr 16, 2016
Messages
520
Reaction score
90
That's like changing the SSH port. It's security through obscurity.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Just a point of interest, has anyone here every only allowed "domain=somerandonstuff" in


/etc/asterisk/sip_general_custom.conf

changed their chan_sip port to anything outside 5000-5999, set there phones to register to that exten@somerandonstuff(colon)port and only allow 5060 through their firewall apart from the recalitrant trunk providers if necessary?

It is trivial and you can watch sngrep showing anything more than 1 on the messages column for months at a time (sngrep looks at traffic before iptables, (I bet you will see the guys from Iceland and Holland for ever ;-) ) but never see anything in asterisk.

I doubt whether you will need travellingman or anything else

Any Takers?

You should come visit Nerd Vittles sometime. That's what the article is all about. :patriot:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
We've successfully implemented the @jerrm suggestion for www.voipbl.org support on KVM server platforms. Here are the necessary changes using the Incredible PBX 13-13 CentOS 6 public platform. FYI: Our CloudAtCost HoneyPot was the 150th server to join voipbl.org's VoIP BlackList project.

CAUTION: Verify your server and desktop IP addresses are not on the blacklist before implementing this. Here's the link to check your IP address.
Be on the safe side and whitelist your IP addresses ABOVE the IPSPF drop entries in IPtables! Read the tutorial for HOW-TO.

D8UF2ZQUIAEn2gx.jpg


For /etc/rc.d/rc.local, it should look like this:
Code:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

echo 180 > /sys/block/sda/device/timeout
touch /var/lock/subsys/local
sleep 5
/root/sig-fix
/etc/blockem.sh
sleep 5
/usr/local/sbin/fwconsole start
sleep 10
$(which faxgetty) -D ttyIAX0
$(which faxgetty) -D ttyIAX1
$(which faxgetty) -D ttyIAX2
$(which faxgetty) -D ttyIAX3
wait
exit 0

For /etc/blockem.sh, it should look like this:
Code:
#!/bin/bash
cd /etc
wget -qO - http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz| tar zxvf -
for i in \
cn ru ps kp ua md nl fr
do
/usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do /usr/sbin/ipset add -exist $i $j; done
done
wait
sleep 5
wget http://incrediblepbx.com/badguys.tar.gz
tar zxvf badguys.tar.gz
rm -f badguys.tar.gz
/usr/sbin/ipset restore -! < /etc/SIPFLOOD.zone
wait
sleep 5
wget -qO - http://www.voipbl.org/update/ -O /etc/VOIPBL.zone
wait
/usr/sbin/ipset -N voipbl iphash maxelem 240000
/usr/sbin/ipset -N voipbl_tmp iphash maxelem 240000
cat /etc/VOIPBL.zone | awk '{ print "if [ ! -z \""$1"\" -a \""$1"\"  != \"#\" ]; then /usr/sbin/ipset -A voipbl_tmp \""$1"\" ;fi;"}' | sh
wait
/usr/sbin/ipset swap voipbl_tmp voipbl
wait
/usr/sbin/ipset destroy voipbl_tmp | true
wait
service iptables restart
wait
sleep 5
/usr/local/sbin/iptables-custom
wait
sleep 5
service fail2ban restart
wait
sleep 5
exit 0

In /etc/sysconfig/iptables, be sure the following entries are in the IPSPF section around line 80 or so:
Code:
-A IPSPF -m set --match-set SIPFLOOD src -j DROP
-A IPSPF -m set --match-set voipbl src -j DROP

UPDATE: Adjust the Incredible PBX WhiteList (/usr/local/sbin/iptables-custom) so that it precedes all of the BlackList DROPs so that one of your providers doesn't get blacklisted inadvertently:
Code:
sed -i 's|-A INPUT -j DROP|-X INPUT -j DROP|' /usr/local/sbin/iptables-custom
sed -i 's|-A INPUT|-I INPUT|' /usr/local/sbin/iptables-custom
sed -i 's|-X INPUT -j DROP|-A INPUT -j DROP|' /usr/local/sbin/iptables-custom

Then reboot your server and be patient while all the pieces get loaded. Worst case, on CloudAtCost it takes more than 2 minutes to bring up all the components shown in pbxstatus:

D8INk9SXUAEK3yL.png


You can refresh your VoIP BlackList at any time with a /root/blacklist-update script like the following:
Code:
#!/bin/bash

echo "This script updates the VOIPBL.zone blacklist from voipbl.org"
echo "Press Ctl-C to abort within 10 seconds..."
sleep 10

wget -qO - http://www.voipbl.org/update/ -O /etc/VOIPBL.zone
$(which ipset) -N voipbl iphash maxelem 240000
$(which ipset) -N voipbl_tmp iphash maxelem 240000
echo "Loading BlackList..."
cat /etc/VOIPBL.zone | awk '{ print "if [ ! -z \""$1"\" -a \""$1"\"  != \"#\" ]; then $(which ipset) -A voipbl_tmp \""$1"\" ;fi;"}' | sh
$(which ipset) swap voipbl_tmp voipbl
$(which ipset) destroy voipbl_tmp | true
echo "Restarting IPtables and Fail2Ban..."
/usr/local/sbin/iptables-restart
 
Last edited:

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
Ward, well noted, I am not well caught up :)

So if anyone has noted , if there is one bad apple in the basket it is likely that there are a lot more soon. If you use ipset then here is a script I wrote that needs ipset > 6.1 and ipwhois ("pip install --upgrade ipwhois") and jq

It is intended to look up the underlying network of an ip and add that to an ipset of your choice

#!/bin/bash
if [[ ! $1 ]];then echo "Usage: $(basename $_) hostname|ip ipset";exit;fi
IP=$1
echo $IP
IPSET=$2
[ $IPSET ]||IPSET='chain_DENY'
[[ $IP =~ ^[0-9\.].* ]]||IP=$(getent ahosts $IP|grep STREAM|head -1|cut -d ' ' -f1)
ipset create -exist $IPSET hash:net comment 2>/dev/null
ipset test $IPSET $IP 2>/dev/null&&echo "already there"&&exit
JSON=$(python /usr/local/bin/ipwhois_cli.py --addr $IP --json --disallow_permutations 2>/dev/null )
[[ $JSON ]] || { echo $JSON ; exit; }
ENTITY=$(echo $JSON|jq '.entities[0]')
NAME=$(echo $JSON|jq ".objects.$ENTITY.contact.name"|sed 's/"//g')
CIDR=$(echo $JSON|jq ".network.cidr"|sed 's/"//g')
CCODE=$(echo $JSON|jq ".asn_country_code"|sed 's/"//g')
NETNAME=$(echo $JSON|jq ".network.name"|sed 's/"//g')
REGISTRY=$(echo $JSON|jq ".asn_registry"|sed 's/"//g')
#for csf
echo "$CIDR # $CCODE $REGISTRY $NETNAME ($NAME)"
# >> /etc/csf/csf.allow

#or whatever
echo "ipset -exist add $IPSET $CIDR comment \"$CCODE $REGISTRY $NETNAME $NAME\""
ipset -exist add $IPSET $CIDR comment "$CCODE $REGISTRY $NETNAME $NAME"
exit



It was originally written for csf with fail2ban actions driving the script so it defaults to the ipset chain_DENY but you can call it with whatever ipset name you want I commented out that but obviously it can be modified.

A caveate is that it will likely sooner or later block large chunks of DigitalOcen,Vultr,AWS etc. so if you yourself exist in such a name space add your own ip to a higher priority allow set.

JM2CAE
 
Last edited:
Joined
Oct 26, 2013
Messages
69
Reaction score
23
There seems to be an issue with blacklist at www.voipbl.org. It has the IP addresses for Callcentric:

Code:
204.11.192.37
204.11.192.160/30
204.11.192.164

I did not check other providers, but it appears that it is blocking legitimate VoIP providers...
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
There seems to be an issue with blacklist at www.voipbl.org. It has the IP addresses for Callcentric:

Code:
204.11.192.37
204.11.192.160/30
204.11.192.164

I did not check other providers, but it appears that it is blocking legitimate VoIP providers...
Not surprising considering the crowd sourced nature of the list. Whitelists should come before the blacklists in iptables - @wardmundy may want to consider re-ordering the ruleset.

It's easy enough to remove an IP from the list on the voipbl.org site, but I'm not sure how "sticky" the removal is.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@David Foxworth You've stumbled upon the age-old problem with blacklists. Try this and we've modified the tutorial above accordingly. You know what they say about pioneers. Thanks for the heads up!
Code:
sed -i 's|-A INPUT -j DROP|-X INPUT -j DROP|' /usr/local/sbin/iptables-custom
sed -i 's|-A INPUT|-I INPUT|' /usr/local/sbin/iptables-custom
sed -i 's|-X INPUT -j DROP|-A INPUT -j DROP|' /usr/local/sbin/iptables-custom
iptables-restart

D8Xz4dTWkAIBHRU.png
 
Last edited:

hawk#1

Well-Known Member
Joined
Nov 3, 2015
Messages
716
Reaction score
309
@David Foxworth You've stumbled upon the age-old problem with blacklists. Try this and we've modified the tutorial above accordingly. You know what they say about pioneers. Thanks for the heads up!
Code:
sed -i 's|-A INPUT -j DROP|-X INPUT -j DROP|' /usr/local/sbin/iptables-custom
sed -i 's|-A INPUT|-I INPUT|' /usr/local/sbin/iptables-custom
sed -i 's|-X INPUT -j DROP|-A INPUT -j DROP|' /usr/local/sbin/iptables-custom
iptables-restart

D8Xz4dTWkAIBHRU.png
LOL great image, but also wanted to comment my thanks to all those who posted info on helping to secure our servers, and I'm still anxious to read the upcoming nerdvittles article. Thanks for your contributions.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
We're just finishing up a 1-Minute Installer to convert an Incredible PBX 13-13 (CentOS 6) server into a public server on any KVM VPS cloud platform. OpenVZ not supported! It automatically blocks 83,000+ creeps using VoIP Blacklist. Includes all our favorite IPtables and Fail2Ban bells and whistles. If anyone wants to play this weekend, we'll put up an installer link shortly. For the time being, don't try this on a server you care about.

If you want to get a head start, you'll need a base CentOS 6 install of Incredible PBX 13-13 on any KVM platform, e.g. Digital Ocean, Vultr, OVH, LowEndBox offering, or even the V3 CloudAtCost servers which are actually pretty speedy at the moment. This is NOT a C@C recommendation! I just have a lot of wasted horsepower sitting idle there after all of their shenanigans. Some of you may also have C@C resources worth trying again.

Next, add Enchilada and Incredible Fax and extensions as desired. Make extension passwords VERY secure! Static IPv4 address is required.

Acquire one or two FQDNs pointed to your server's IP address. You can either use one FQDN for both SIP registrations and SIP URI calls. Or, for better security, you can use separate FQDNs for registrations (for your extensions) and SIP URI public access (by FQDN only). All IP address connections that are rejected trigger a Fail2Ban block after a single attempt unless the user's IP address is whitelisted as part of the install process. All IP address and extension whitelisting is handled by the script automatically using your specified preferences.

Full writeup coming to Nerd Vittles next Monday.
 
Last edited:

hawk#1

Well-Known Member
Joined
Nov 3, 2015
Messages
716
Reaction score
309
I will be glad to try it out, and I understand that is like beta testing and will try it on a server that does not matter.
 

kyle95wm

Phone Genius Owner
Joined
Apr 16, 2016
Messages
520
Reaction score
90
Would you consider bundling this installer with the main 13-13 tarball if this is a success? Might wanna warn the crap out of users first, that proceeding with said installer is at their own risk.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Would you consider bundling this installer with the main 13-13 tarball if this is a success? Might wanna warn the crap out of users first, that proceeding with said installer is at their own risk.

That's the plan. And here's the one-minute installer for the pioneers. Be sure you have completed ALL prerequisites BEFORE using it.
Code:
cd /root
wget http://incrediblepbx.com/go-public.tar.gz
tar zxvf go-public.tar.gz
rm -f go-public.tar.gz
./GO-PUBLIC

Prerequisites Checklist:
  1. Functioning Incredible PBX 13-13.10 with CentOS 6
  2. KVM (not OpenVZ) Cloud Platform with 1GB+ RAM
  3. Public, Static IPv4 Address for your server
  4. One or two FQDNs pointed to your server
  5. Whole Enchilada installed, if desired
  6. Incredible Fax installed, if desired (requires reboot)
  7. Preconfigured extensions with VERY SECURE PASSWORDS for extension & voicemail
 
Last edited:

kyle95wm

Phone Genius Owner
Joined
Apr 16, 2016
Messages
520
Reaction score
90
Line 217 has a typo. It should be "amportal restart" not "amportal restsrt"


I haven't run the entire script, since I'm picking out bits and pieces to incorporate into my existing public setup. From looking at the script, everything else seems okay.
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top