Avatar of Silas2
Silas2 asked on

Asterisk Sip Brute Force

I'm getting plagued by these Sip brute force attacks.
I don't think they'll every get thru, my secrets are all randomized to the 10's millions + my SIP trunk provider is locked down with any premium rate connections ..i can't think of any thing else...anybody?
But, the plague I think must be putting some strain on the asterisk box + it makes the CLI very hard to read when I'm debugging.
The only thing I was thinking as a simple delay in registration attempts, as the legitimate ones taking a long time is ok for me, so the attacks would be very much slowed down - is there a setting in asterisk for this?
IP Telephony

Avatar of undefined
Last Comment
Ron Malmstead

8/22/2022 - Mon
Ron Malmstead

In your SIP.conf file.. you can specify the networks that are allowed to register.

http://www.voip-info.org/wiki/view/Asterisk+sip+permit-deny-mask

Deny first.. then allow only your internal networks, and your external sip trunk destination ip's.

example...
deny=0.0.0.0/0.0.0.0
permit=216.207.245.47/255.255.255.255
#Deny every address except for the only one allowed.
ASKER
Silas2

My problem is that I've got UA's registering from all over (work from home people) with non-fixed IPs.
Ron Malmstead

I understand,
However.. if they are connecting through a vpn to the internal IP of asterisk (which is the way it should be)..the IP that Asterisk will see is their internal IP network.. not their external IP.  So for example.. comcast customers would likely be local 10.x networks.. you can also add 192.168.0.0/255.255.0.0;  That would probably take care of the vast majority of your work at home people.. and you would only have to tweak it for a few if any.

Either that, or reconfigure the VPN to lease out internal IP addresses to your LAN.

I strongly advise anyone against putting Asterisk on a public IP.. though I understand sometimes this is necessary.

Can you identify the IP Addresses that are brute attacking?  If so, you could create a firewall rule to block them entirely.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
Silas2

I think VPN is a bit OTT for my issue. A lot of these remote workers are quite casual.
Re IP addresses , they seem to vary over time. You feel the best way would be to have asterisk trigger an event after a certain number of failed registration attempts from an IP address, then my linux box could pick up the event and add the IP to the firewall.
I don't know enough about IP addressing, but is it possible to create a firewall rule that bans all IP's from certain countries?
Ron Malmstead

Some firewalls such as SonicWall, have the option to block entire countries.  "geo-blocking"
They maintain a database of global IP ranges for this purpose.. but to attempt to manage it yourself would be futile.

..what type of firewall appliance are you using?
ASKER
Silas2

errrrr....actually its switched off.
Reason being that the box is 100% asterisk so there is only one port really doing anything which I can't block, so I can't see the point of a firewall...unless you have some insight.
But that SonciWall type of firwall might be just the thing.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ron Malmstead

It's very difficult to protect a peice of hardware and it's services (SIP), when it is directly exposed to the internet.  Even if you employed the server's own firewall as a means to protect, it will still recieve those nasty packets.

The point of the firewall is to manage attacks, and prevent attack packets from ever reaching your server in the first place.  Sonicwall is very good for this purpose, and the ability to block IP's by country has been a life saver for me, ..since most attacks and spam I encounter originate out of Eastern Europe and China.
nauliv

Hello Silas,

Here is how i solved the same issue:

1) Use the built-in firewall of your asterisk box to use rate limiting
     http://kvz.io/blog/2007/07/28/block-brute-force-attacks-with-iptables/
     (this example is with sip/22, just adapt it to sip/5060)

2) Block all the countries that your remote users are for sure not connecting from
    http://www.cyberciti.biz/faq/block-entier-country-using-iptables/
     (it uses ipdeny's zones list)

Good Luck !
ASKER
Silas2

That's a very interesting point nauliv, I was just looking at that post http://kvz.io/blog/2007/07/28/block-brute-force-attacks-with-iptables/, out of curiosity, regarding SIP, UA's are making quite frequent randomish registration's wouldn't that fall foul of any attempt to block a certain amount in such/such time? (as the article suggests for SSH)
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
SOLUTION
Ron Malmstead

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Silas2

I'm not really logging them so I don't know, its just every time i open up a cli I see them coming in.
I realise the problem with the sonicWeb firewall is that it's hardware, this asterisk box is at rackspace.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Silas2

Thanks for all that help guys. I'll just have to get some time to do something about it!
Ron Malmstead

Changing the port, is probably one of the best ideas.. as you said, path of least resistance,..they aren't going to typically inspect what other port you may use for sip they will assume it's the default, and when they knock with no answer, they give up 99.9 percent of the time.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.