Baisic required security to keep your Asterisk safe from script kiddies and other idiots.

Jay Moore e52186beaf Create actual files vs. just a readme 2 weeks ago
README.MD f7a74bb228 Add syntax highlighting to readme.md 2 weeks ago
asterisk.conf e52186beaf Create actual files vs. just a readme 2 weeks ago
voipbl.conf e52186beaf Create actual files vs. just a readme 2 weeks ago
voipbl.sh e52186beaf Create actual files vs. just a readme 2 weeks ago

README.MD

Asterisk and VOIPBL - Because They'll Break The Door Down

Verson 1.02 - 10-SEP-2022

The Sad State Of Things

If you thought it was hard running an SSH server in the open....then a SIP server is worse. Never in my life have I seen so any attacks on one service attempted in my life. I'm talking DDOS level of attacks. So called "security distros" like Kali are nothing more than hacking tools in disguse. 99% of my attacks are coming from tools in Kali that take no expierence to use. So you'll start spending more time locking your server down than you did making it work.

NUMBERED LOGINS ARE BAD

It's standard practice that if you're going to give someone extension 1234...that their sip login is 1234. This is both stupid and unnecessary. Out of all the attempted attacks I've seen...only TWO were trying to exploit a name-based account. You do not need to give your users the same auth ID as their extension. They do not to be <####>@hosname. You should NEVER have a SIP login be number based anymore. NEVER NEVER NEVER

Instead...you should use names or a unique ID that's not based on a dictionary word. So sip:1234@hostname should instead be sip:username@hostname - Then you set extension 1234 to dial PJSIP/username.

This is no longer an Asterisk Power User Move. It should be your default behavior.

Setting up VoIPBL/fail2ban/iptables For Asterisk

VoipBL.org is a blacklist service provided by ScopServ International. It provides a list of known bad actor IPs as well as a system for allowing users to submit violators. It may not the be the only service that does this...it was however the most numerous result when looking for VOIP blacklists.

apt install fail2ban

You should already have fail2ban installed; but if you don't, you'll need it.

The blacklist that runs the iptables entries is updated every 4 hours by cron. The script they provided isn't right. So we'll do it this way:

sudo crontab -e

Put this line in it:

0 */4 * * * /usr/local/bin/voipbl.sh

Close the editor. This will call the script every 4 hours. (Or should. I'll verify this is proper cron later).

Now we need to create the shell script it calls; /usr/local/bin/voipbpl.sh

#!/bin/bash

# Check if chain exists and create one if required
if [ `iptables -S | grep -c "BLACKLIST-INPUT"` -lt 1 ]; then
  /sbin/iptables -N BLACKLIST-INPUT
  /sbin/iptables -I INPUT 1 -j BLACKLIST-INPUT
fi
	
# Empty the chain
/sbin/iptables -F BLACKLIST-INPUT
wget -qO - http://www.voipbl.org/update/ |\
  awk '{print "if [ ! -z \""$1"\" -a \""$1"\" !=  \"#\" ]; then /sbin/iptables -A BLACKLIST-INPUT -s \""$1"\" -j DROP;fi;"}' | sh

I will tell you this...this script takes a while to run. I thought it was failing but I brought up a process list while it was running and verified it was in fact adding ips to iptables. This just takes a while...about 10 to 15 minutes. Running it in background means you'll probably never see it.

Now to configure fail2ban. The original instructions said to modify jail.conf...but we don't do that anymore.

/etc/fail2ban/jail.d/asterisk.conf

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           voipbl[serial=XXXXXXXXXX]
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime  = 259200

Is that an excessive bantime? No. If it was up to me it'd be permanent. 9 times out of 10 once an IP is exploited for this stuff...it either never leaves the hands of script kiddies or winds up being unusable because it's blacklisted everywhere. I've literally blocked entire countries.

We now need to create the voipbl action /etc/fail2ban/action.d/voipbl.conf is where we're heading next:

# Description: Configuration for Fail2Ban

[Definition]

actionban   = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>"
actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>"

[Init]

getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \
              --read-timeout=60 --retry-connrefused --output-document=- \
	      --user-agent=Fail2Ban

url = http://www.voipbl.org

Okay. Now we need to make sure Asterisk logging actually outputs security messages. As of 20.04; fail2ban comes with the proper filter for Asterisk:

/etc/asterisk/logger.conf

[general]

dateformat=%F %T

[logfiles]

console = verbose,notice,warning,error

messages = security,notice,warning,error
;full = verbose,notice,warning,error,debug
;security = security

The main things you need to do is make sure you put dateformat=%F %T under General and make sure the messages options include security.

Okay....configuration is done. Make everything active.

  • In Asterisk: module reload logger
  • sudo systemctl restart fail2ban
  • sudo bash /usr/local/bin/voipbpl.sh

Originally I thought this took much, much longer to run than it actually needs to. I finally realized part of the reason is the script was running iptables -L to check for the filter. THAT TAKES FOREVER. You know what doesn't take forever? iptables -S So now the entire thing updates in less than 2 minutes.

This is about the baseline level of security I recommend. It's probably far from perfect, I'm not a cybersecurity expert. It does however prevent the nonstop attempts on the server and does seem to catch the one that come through. In the last 24 hours I've seen TWO attempts; and both were done within 90 seconds.