One more level of protection is to configure your SIP Peer with a valid subnet that it must connect from. We set all of our peers to only be usable in house unless it's a work from home or road warrior person, in which case they have a more lax security set. There are more ways to implement more advanced security which I'll write about in a few weeks.
I have a Debian based Asterisk 1.6.2.11 system in production in our call center and implemented fail2ban to prevent this from happening to me, and use this as a default level of protection on any Asterisk system I install.
Configuration is very simple:
>apt-get install fail2ban
#Configure the asterisk jail, be sure to set your email address in here so you can receive notifications of blocked IP's (every once in a while i've had valid devices manage to get themselves blocked). Additionally set the log path to where you asterisk is logging.
Max Retry is the number of failregex attempts fail2ban will allow before blocking the IP for $bantime
Bantime is the number of seconds an IP will be blocked at the IPTables level.
>echo "[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=your_email_address@your_domain.com, sender=asterisk@your_domain.com]
logpath = /var/log/syslog
maxretry = 5
bantime = 3600" >> /etc/fail2ban/jail.conf
#Configure the strings you want to look for to identify rogue devices / users. These regex patterns seem to work great for me.
>echo "[INCLUDES]
#before = common.conf
[Definition]
#_daemon = asterisk
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
ignoreregex =" > /etc/fail2ban/filter.d/asterisk.conf
No comments:
Post a Comment