Asterisk Sip Brute Force

I'm getting plagued by these Sip brute force attacks.
I don't think they'll every get thru, my secrets are all randomized to the 10's millions + my SIP trunk provider is locked down with any premium rate connections ..i can't think of any thing else...anybody?
But, the plague I think must be putting some strain on the asterisk box + it makes the CLI very hard to read when I'm debugging.
The only thing I was thinking as a simple delay in registration attempts, as the legitimate ones taking a long time is ok for me, so the attacks would be very much slowed down - is there a setting in asterisk for this?
Silas2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ron MalmsteadInformation Services ManagerCommented:
In your SIP.conf file.. you can specify the networks that are allowed to register.

http://www.voip-info.org/wiki/view/Asterisk+sip+permit-deny-mask

Deny first.. then allow only your internal networks, and your external sip trunk destination ip's.

example...
deny=0.0.0.0/0.0.0.0
permit=216.207.245.47/255.255.255.255
#Deny every address except for the only one allowed.
0
Silas2Author Commented:
My problem is that I've got UA's registering from all over (work from home people) with non-fixed IPs.
0
Ron MalmsteadInformation Services ManagerCommented:
I understand,
However.. if they are connecting through a vpn to the internal IP of asterisk (which is the way it should be)..the IP that Asterisk will see is their internal IP network.. not their external IP.  So for example.. comcast customers would likely be local 10.x networks.. you can also add 192.168.0.0/255.255.0.0;  That would probably take care of the vast majority of your work at home people.. and you would only have to tweak it for a few if any.

Either that, or reconfigure the VPN to lease out internal IP addresses to your LAN.

I strongly advise anyone against putting Asterisk on a public IP.. though I understand sometimes this is necessary.

Can you identify the IP Addresses that are brute attacking?  If so, you could create a firewall rule to block them entirely.
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

Silas2Author Commented:
I think VPN is a bit OTT for my issue. A lot of these remote workers are quite casual.
Re IP addresses , they seem to vary over time. You feel the best way would be to have asterisk trigger an event after a certain number of failed registration attempts from an IP address, then my linux box could pick up the event and add the IP to the firewall.
I don't know enough about IP addressing, but is it possible to create a firewall rule that bans all IP's from certain countries?
0
Ron MalmsteadInformation Services ManagerCommented:
Some firewalls such as SonicWall, have the option to block entire countries.  "geo-blocking"
They maintain a database of global IP ranges for this purpose.. but to attempt to manage it yourself would be futile.

..what type of firewall appliance are you using?
0
Silas2Author Commented:
errrrr....actually its switched off.
Reason being that the box is 100% asterisk so there is only one port really doing anything which I can't block, so I can't see the point of a firewall...unless you have some insight.
But that SonciWall type of firwall might be just the thing.
0
Ron MalmsteadInformation Services ManagerCommented:
It's very difficult to protect a peice of hardware and it's services (SIP), when it is directly exposed to the internet.  Even if you employed the server's own firewall as a means to protect, it will still recieve those nasty packets.

The point of the firewall is to manage attacks, and prevent attack packets from ever reaching your server in the first place.  Sonicwall is very good for this purpose, and the ability to block IP's by country has been a life saver for me, ..since most attacks and spam I encounter originate out of Eastern Europe and China.
0
naulivCommented:
Hello Silas,

Here is how i solved the same issue:

1) Use the built-in firewall of your asterisk box to use rate limiting
     http://kvz.io/blog/2007/07/28/block-brute-force-attacks-with-iptables/
     (this example is with sip/22, just adapt it to sip/5060)

2) Block all the countries that your remote users are for sure not connecting from
    http://www.cyberciti.biz/faq/block-entier-country-using-iptables/
     (it uses ipdeny's zones list)

Good Luck !
0
Silas2Author Commented:
That's a very interesting point nauliv, I was just looking at that post http://kvz.io/blog/2007/07/28/block-brute-force-attacks-with-iptables/, out of curiosity, regarding SIP, UA's are making quite frequent randomish registration's wouldn't that fall foul of any attempt to block a certain amount in such/such time? (as the article suggests for SSH)
0
Ron MalmsteadInformation Services ManagerCommented:
nauliv's suggestion may very well help..however, the problem I see with that approach is that the box (asterisk) still has to "process" those packets to deny or allow.. which could still produce the "dos" type behaviour you are experiencing.  It may however serve very well as a deterrent, if the attacker realizes that their connections are being dropped.. they may give up and switch targets.  Or, they may otherwise adapt and use more IP's from other origins in random fashion., depends on how bad they want to get a registration.  Odds are this attack is fully automated, so unless the attack software has "give-up" code, it may very well keep trying forever..

I would be interested to know how many IP's are attacking you..
1, 2, ..50, always random??  That would indicate whether it's a professional, or some scripter with limited means.
0
Silas2Author Commented:
I'm not really logging them so I don't know, its just every time i open up a cli I see them coming in.
I realise the problem with the sonicWeb firewall is that it's hardware, this asterisk box is at rackspace.
0
naulivCommented:
Hello Xusers... it's been a long time :)

The method i described is not to protect against a denial-of-service through a massive amount of connections requests... for that, rackspace should already have equipment to detect and handle the situation... The method is more to prevent the brute force login attempts from filling up the asterisk logs and not allowing someone to eventually find a working set of SIP credentials...

People running this type of scripted login attempts are typically choosing the path of least resistance, and when faced to a machine that suddently stops responding after the first attempts will typically move on to another target...

The amount of iptables rules is really minimum compared to a machine with a recent processor is capable of, even with Asterisk running full steam! So I haven't seen any impact running it in several production environments.

With regards to its efficiency, considering that the SIP phones typically only login once every powerloss; and always make a successful login from its first attempt, I put the settings at a very aggressive level, and I now see less than 5~20 attempts/day whereas it used to be 24/7 non-stop before that.

Whenever you open port 5060 to the world... you have to expect connections attempts from hackers.. the goal is just to try and make it as difficult as possible for them without impacting the performance of your application.

Silas, if VPN is not a possibility because of costs reasons, depending on which clients you use you might want to change the SIP port from 5060 to something else... which should reduce those hack attempts near to zero; because they typically find targets by portscanning on 5060....

Hope this helps !
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Silas2Author Commented:
Thanks for all that help guys. I'll just have to get some time to do something about it!
0
Ron MalmsteadInformation Services ManagerCommented:
Changing the port, is probably one of the best ideas.. as you said, path of least resistance,..they aren't going to typically inspect what other port you may use for sip they will assume it's the default, and when they knock with no answer, they give up 99.9 percent of the time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IP Telephony

From novice to tech pro — start learning today.