First Version
commit
1dfe810a71
@ -0,0 +1,118 @@
|
||||
#Asterisk and VOIPBL - Because They'll Break The Door Down
|
||||
#### Verson 1 - 16-AUG-2022
|
||||
|
||||
## The Sad State Of Things
|
||||
|
||||
If you thought it was hard running an SSH server in the open....then a SIP server is worse. Never in my life have I seen so any attacks on one service attempted in my life. I'm talking DDOS level of attacks. So called "security distros" like Kali are nothing more than hacking tools in disguse. 99% of my attacks are coming from tools in Kali that take no expierence to use. So you'll start spending more time locking your server down than you did making it work.
|
||||
|
||||
## NUMBERED LOGINS ARE BAD
|
||||
|
||||
It's standard practice that if you're going to give someone extension 1234...that their sip login is 1234. This is both stupid and unnecessary. Out of all the attempted attacks I've seen...only TWO were trying to exploit a name-based account. You do not need to give your users the same auth ID as their extension. They do not to be <extension>@hosname. You should NEVER have a SIP login be number based anymore. ***NEVER NEVER NEVER***
|
||||
|
||||
Instead...you should use names or a unique ID that's not based on a dictionary word. So sip:1234@hostname should instead be sip:username@hostname - Then you set extension 1234 to dial PJSIP/username.
|
||||
|
||||
This is no longer an Asterisk Power User Move. It should be your default behavior.
|
||||
|
||||
## Setting up VoIPBL/fail2ban/iptables For Asterisk
|
||||
|
||||
VoipBL.org is a blacklist service provided by ScopServ International. It provides a list of known bad actor IPs as well as a system for allowing users to submit violators. It may not the be the only service that does this...it was however the most numerous result when looking for VOIP blacklists.
|
||||
|
||||
`apt install fail2ban`
|
||||
|
||||
You should already have fail2ban installed; but if you don't, you'll need it.
|
||||
|
||||
The blacklist that runs the iptables entries is updated every 4 hours by cron. The script they provided isn't right. So we'll do it this way:
|
||||
|
||||
`sudo crontab -e`
|
||||
|
||||
Put this line in it:
|
||||
|
||||
`0 */4 * * * /usr/local/bin/voipbl.sh`
|
||||
|
||||
Close the editor. This will call the script every 4 hours. (Or should. I'll verify this is proper cron later).
|
||||
|
||||
Now we need to create the shell script it calls; `/usr/local/bin/voipbpl.sh`
|
||||
|
||||
```
|
||||
#!/bin/bash
|
||||
|
||||
# Check if chain exists and create one if required
|
||||
if [ `iptables -L | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then
|
||||
/sbin/iptables -N BLACKLIST-INPUT
|
||||
/sbin/iptables -I INPUT 1 -j BLACKLIST-INPUT
|
||||
fi
|
||||
|
||||
# Empty the chain
|
||||
/sbin/iptables -F BLACKLIST-INPUT
|
||||
wget -qO - http://www.voipbl.org/update/ |\
|
||||
awk '{print "if [ ! -z \""$1"\" -a \""$1"\" != \"#\" ]; then /sbin/iptables -A BLACKLIST-INPUT -s \""$1"\" -j DROP;fi;"}' | sh
|
||||
```
|
||||
|
||||
I will tell you this...this script takes a while to run. I thought it was failing but I brought up a process list while it was running and verified it was in fact adding ips to iptables. This just takes a while...about 10 to 15 minutes. Running it in background means you'll probably never see it.
|
||||
|
||||
Now to configure fail2ban. The original instructions said to modify jail.conf...but we don't do that anymore.
|
||||
|
||||
`/etc/fail2ban/jail.d/asterisk.conf`
|
||||
```
|
||||
[asterisk-iptables]
|
||||
|
||||
enabled = true
|
||||
filter = asterisk
|
||||
action = iptables-allports[name=ASTERISK, protocol=all]
|
||||
voipbl[serial=XXXXXXXXXX]
|
||||
logpath = /var/log/asterisk/messages
|
||||
maxretry = 5
|
||||
bantime = 259200
|
||||
```
|
||||
Is that an excessive bantime? No. If it was up to me it'd be permanent. 9 times out of 10 once an IP is exploited for this stuff...it either never leaves the hands of script kiddies or winds up being unusable because it's blacklisted everywhere. I've literally blocked entire countries.
|
||||
|
||||
We now need to create the voipbl action `/etc/fail2ban/action.d/voipbl.conf` is where we're heading next:
|
||||
|
||||
```
|
||||
# Description: Configuration for Fail2Ban
|
||||
|
||||
[Definition]
|
||||
|
||||
actionban = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>"
|
||||
actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>"
|
||||
|
||||
[Init]
|
||||
|
||||
getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \
|
||||
--read-timeout=60 --retry-connrefused --output-document=- \
|
||||
--user-agent=Fail2Ban
|
||||
|
||||
url = http://www.voipbl.org
|
||||
```
|
||||
|
||||
Okay. Now we need to make sure Asterisk logging actually outputs security messages. As of 20.04; fail2ban comes with the proper filter for Asterisk:
|
||||
|
||||
`/etc/asterisk/logger.conf`
|
||||
|
||||
```
|
||||
[general]
|
||||
|
||||
dateformat=%F %T
|
||||
|
||||
[logfiles]
|
||||
|
||||
console = verbose,notice,warning,error
|
||||
|
||||
messages = security,notice,warning,error
|
||||
;full = verbose,notice,warning,error,debug
|
||||
;security = security
|
||||
```
|
||||
|
||||
The main things you need to do is make sure you put `dateformat=%F %T` under General and make sure the messages options include security.
|
||||
|
||||
Okay....configuration is done. Make everything active.
|
||||
|
||||
- In Asterisk: `module reload logger`
|
||||
- `sudo systemctl restart fail2ban`
|
||||
- `sudo bash /usr/local/bin/voipbpl.sh`
|
||||
|
||||
|
||||
That last line will run the script to populate iptables. This will take a LONG time and you will see no status. I suggest switching to another term or window, running htop, and filtering for iptables. You can then get some idea of the progress by watching the IPs it adds.
|
||||
|
||||
This is about the baseline level of security I recommend. It's probably far from perfect, I'm not a cybersecurity expert. It does however prevent the nonstop attempts on the server and does seem to catch the one that come through. In the last 24 hours I've seen TWO attempts; and both were done within 90 seconds.
|
||||
|
Loading…
Reference in New Issue