dewdude
/
asterisk-voipbl-security
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

First Version

Browse Source
pull/1/head
Jay 2 years ago
commit 1dfe810a71
1 changed files with 118 additions and 0 deletions
Show Stats Download Patch File Download Diff File

118
README.MD
Unescape Escape View File

@ -0,0 +1,118 @@
#Asterisk and VOIPBL - Because They'll Break The Door Down
#### Verson 1 - 16-AUG-2022
## The Sad State Of Things
If you thought it was hard running an SSH server in the open....then a SIP server is worse. Never in my life have I seen so any attacks on one service attempted in my life. I'm talking DDOS level of attacks. So called "security distros" like Kali are nothing more than hacking tools in disguse. 99% of my attacks are coming from tools in Kali that take no expierence to use. So you'll start spending more time locking your server down than you did making it work.
## NUMBERED LOGINS ARE BAD
It's standard practice that if you're going to give someone extension 1234...that their sip login is 1234. This is both stupid and unnecessary. Out of all the attempted attacks I've seen...only TWO were trying to exploit a name-based account. You do not need to give your users the same auth ID as their extension. They do not to be <extension>@hosname. You should NEVER have a SIP login be number based anymore. ***NEVER NEVER NEVER***
Instead...you should use names or a unique ID that's not based on a dictionary word. So sip:1234@hostname should instead be sip:username@hostname - Then you set extension 1234 to dial PJSIP/username.
This is no longer an Asterisk Power User Move. It should be your default behavior.
## Setting up VoIPBL/fail2ban/iptables For Asterisk
VoipBL.org is a blacklist service provided by ScopServ International. It provides a list of known bad actor IPs as well as a system for allowing users to submit violators. It may not the be the only service that does this...it was however the most numerous result when looking for VOIP blacklists.
`apt install fail2ban`
You should already have fail2ban installed; but if you don't, you'll need it.
The blacklist that runs the iptables entries is updated every 4 hours by cron. The script they provided isn't right. So we'll do it this way:
`sudo crontab -e`
Put this line in it:
`0 */4 * * * /usr/local/bin/voipbl.sh`
Close the editor. This will call the script every 4 hours. (Or should. I'll verify this is proper cron later).
Now we need to create the shell script it calls; `/usr/local/bin/voipbpl.sh`
```
#!/bin/bash
# Check if chain exists and create one if required
if [ `iptables -L | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then
/sbin/iptables -N BLACKLIST-INPUT
/sbin/iptables -I INPUT 1 -j BLACKLIST-INPUT
fi
# Empty the chain
/sbin/iptables -F BLACKLIST-INPUT
wget -qO - http://www.voipbl.org/update/ |\
awk '{print "if [ ! -z \""$1"\" -a \""$1"\" != \"#\" ]; then /sbin/iptables -A BLACKLIST-INPUT -s \""$1"\" -j DROP;fi;"}' | sh
```
I will tell you this...this script takes a while to run. I thought it was failing but I brought up a process list while it was running and verified it was in fact adding ips to iptables. This just takes a while...about 10 to 15 minutes. Running it in background means you'll probably never see it.
Now to configure fail2ban. The original instructions said to modify jail.conf...but we don't do that anymore.
`/etc/fail2ban/jail.d/asterisk.conf`
```
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
voipbl[serial=XXXXXXXXXX]
logpath = /var/log/asterisk/messages
maxretry = 5
bantime = 259200
```
Is that an excessive bantime? No. If it was up to me it'd be permanent. 9 times out of 10 once an IP is exploited for this stuff...it either never leaves the hands of script kiddies or winds up being unusable because it's blacklisted everywhere. I've literally blocked entire countries.
We now need to create the voipbl action `/etc/fail2ban/action.d/voipbl.conf` is where we're heading next:
```
# Description: Configuration for Fail2Ban
[Definition]
actionban = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>"
actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>"
[Init]
getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \
--read-timeout=60 --retry-connrefused --output-document=- \
--user-agent=Fail2Ban
url = http://www.voipbl.org
```
Okay. Now we need to make sure Asterisk logging actually outputs security messages. As of 20.04; fail2ban comes with the proper filter for Asterisk:
`/etc/asterisk/logger.conf`
```
[general]
dateformat=%F %T
[logfiles]
console = verbose,notice,warning,error
messages = security,notice,warning,error
;full = verbose,notice,warning,error,debug
;security = security
```
The main things you need to do is make sure you put `dateformat=%F %T` under General and make sure the messages options include security.
Okay....configuration is done. Make everything active.
- In Asterisk: `module reload logger`
- `sudo systemctl restart fail2ban`
- `sudo bash /usr/local/bin/voipbpl.sh`
That last line will run the script to populate iptables. This will take a LONG time and you will see no status. I suggest switching to another term or window, running htop, and filtering for iptables. You can then get some idea of the progress by watching the IPs it adds.
This is about the baseline level of security I recommend. It's probably far from perfect, I'm not a cybersecurity expert. It does however prevent the nonstop attempts on the server and does seem to catch the one that come through. In the last 24 hours I've seen TWO attempts; and both were done within 90 seconds.
Write Preview
Loading…
Cancel
Save