Thursday, May 19, 2011

How To Protect Asterisk From SIP Attacks Using fail2ban

There are many scanners running around attempting to find open SIP servers that they can easily guess passwords for in order to make free calls at your expense.  If they get ahold of an account they could easily start calling all over the world racking up huge bills for you, so it's important to protect yourself.  I've blocked IP's that were scanning me and had them rack up 50GB of traffic over the course of a weekend!  All these scanners do is test hundreds of different SIP credentials per second trying to find a valid set.  Installing fail2ban will prevent them from being able to scan you for valid credentials.

One more level of protection is to configure your SIP Peer with a valid subnet that it must connect from.  We set all of our peers to only be usable in house unless it's a work from home or road warrior person, in which case they have a more lax security set.  There are more ways to implement more advanced security which I'll write about in a few weeks.


I have a Debian based Asterisk 1.6.2.11 system in production in our call center and implemented fail2ban to prevent this from happening to me, and use this as a default level of protection on any Asterisk system I install.

Configuration is very simple:

>apt-get install fail2ban


#Configure the asterisk jail, be sure to set your email address in here so you can receive notifications of blocked IP's (every once in a while i've had valid devices manage to get themselves blocked).  Additionally set the log path to where you asterisk is logging.
Max Retry is the number of failregex attempts fail2ban will allow before blocking the IP for $bantime
Bantime is the number of seconds an IP will be blocked at the IPTables level.

>echo "[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=ASTERISK, dest=your_email_address@your_domain.com, sender=asterisk@your_domain.com]
logpath  = /var/log/syslog
maxretry = 5
bantime = 3600" >> /etc/fail2ban/jail.conf

#Configure the strings you want to look for to identify rogue devices / users.  These regex patterns seem to work great for me.
>echo "[INCLUDES]
#before = common.conf
[Definition]
#_daemon = asterisk
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

ignoreregex =" > /etc/fail2ban/filter.d/asterisk.conf

No comments:

Post a Comment