Link to home
Get AccessLog in
Avatar of Silas2
Silas2

asked on

Asterisk Sip Brute Force

I'm getting plagued by these Sip brute force attacks.
I don't think they'll every get thru, my secrets are all randomized to the 10's millions + my SIP trunk provider is locked down with any premium rate connections ..i can't think of any thing else...anybody?
But, the plague I think must be putting some strain on the asterisk box + it makes the CLI very hard to read when I'm debugging.
The only thing I was thinking as a simple delay in registration attempts, as the legitimate ones taking a long time is ok for me, so the attacks would be very much slowed down - is there a setting in asterisk for this?
Avatar of Ron Malmstead
Ron Malmstead
Flag of United States of America image

In your SIP.conf file.. you can specify the networks that are allowed to register.

http://www.voip-info.org/wiki/view/Asterisk+sip+permit-deny-mask

Deny first.. then allow only your internal networks, and your external sip trunk destination ip's.

example...
deny=0.0.0.0/0.0.0.0
permit=216.207.245.47/255.255.255.255
#Deny every address except for the only one allowed.
Avatar of Silas2
Silas2

ASKER

My problem is that I've got UA's registering from all over (work from home people) with non-fixed IPs.
I understand,
However.. if they are connecting through a vpn to the internal IP of asterisk (which is the way it should be)..the IP that Asterisk will see is their internal IP network.. not their external IP.  So for example.. comcast customers would likely be local 10.x networks.. you can also add 192.168.0.0/255.255.0.0;  That would probably take care of the vast majority of your work at home people.. and you would only have to tweak it for a few if any.

Either that, or reconfigure the VPN to lease out internal IP addresses to your LAN.

I strongly advise anyone against putting Asterisk on a public IP.. though I understand sometimes this is necessary.

Can you identify the IP Addresses that are brute attacking?  If so, you could create a firewall rule to block them entirely.
Avatar of Silas2

ASKER

I think VPN is a bit OTT for my issue. A lot of these remote workers are quite casual.
Re IP addresses , they seem to vary over time. You feel the best way would be to have asterisk trigger an event after a certain number of failed registration attempts from an IP address, then my linux box could pick up the event and add the IP to the firewall.
I don't know enough about IP addressing, but is it possible to create a firewall rule that bans all IP's from certain countries?
Some firewalls such as SonicWall, have the option to block entire countries.  "geo-blocking"
They maintain a database of global IP ranges for this purpose.. but to attempt to manage it yourself would be futile.

..what type of firewall appliance are you using?
Avatar of Silas2

ASKER

errrrr....actually its switched off.
Reason being that the box is 100% asterisk so there is only one port really doing anything which I can't block, so I can't see the point of a firewall...unless you have some insight.
But that SonciWall type of firwall might be just the thing.
It's very difficult to protect a peice of hardware and it's services (SIP), when it is directly exposed to the internet.  Even if you employed the server's own firewall as a means to protect, it will still recieve those nasty packets.

The point of the firewall is to manage attacks, and prevent attack packets from ever reaching your server in the first place.  Sonicwall is very good for this purpose, and the ability to block IP's by country has been a life saver for me, ..since most attacks and spam I encounter originate out of Eastern Europe and China.
Hello Silas,

Here is how i solved the same issue:

1) Use the built-in firewall of your asterisk box to use rate limiting
     http://kvz.io/blog/2007/07/28/block-brute-force-attacks-with-iptables/
     (this example is with sip/22, just adapt it to sip/5060)

2) Block all the countries that your remote users are for sure not connecting from
    http://www.cyberciti.biz/faq/block-entier-country-using-iptables/
     (it uses ipdeny's zones list)

Good Luck !
Avatar of Silas2

ASKER

That's a very interesting point nauliv, I was just looking at that post http://kvz.io/blog/2007/07/28/block-brute-force-attacks-with-iptables/, out of curiosity, regarding SIP, UA's are making quite frequent randomish registration's wouldn't that fall foul of any attempt to block a certain amount in such/such time? (as the article suggests for SSH)
SOLUTION
Avatar of Ron Malmstead
Ron Malmstead
Flag of United States of America image

Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
Avatar of Silas2

ASKER

I'm not really logging them so I don't know, its just every time i open up a cli I see them coming in.
I realise the problem with the sonicWeb firewall is that it's hardware, this asterisk box is at rackspace.
ASKER CERTIFIED SOLUTION
Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
Avatar of Silas2

ASKER

Thanks for all that help guys. I'll just have to get some time to do something about it!
Changing the port, is probably one of the best ideas.. as you said, path of least resistance,..they aren't going to typically inspect what other port you may use for sip they will assume it's the default, and when they knock with no answer, they give up 99.9 percent of the time.