If you’ve had the problem of hackers trying to break into your Asterisk server, you probably know that you can use tools like Fail2ban to at least slow them down. But why let them know you even have an Asterisk server in the first place? Maybe you need to leave port 5060 open so that remote users (not on your local network) can connect to the server, but that doesn’t mean that you have to advertise to the bad guys that you might have something of interest. With that in mind, we direct your attention to this post in the DSLReports VoIP forum:
The Linux netfilter/iptables firewall is capable of stopping these attacks before they even start.
At a bare minimum, this stops 99% of the attacks when added to your iptables ruleset:
-A INPUT -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp --dport 5060 -m string --string "REGISTER sip:your.pbx.dns.name" --algo bm -j ACCEPT
-A INPUT -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
-A INPUT -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP
-A INPUT -p udp --dport 5060 -j ACCEPT
To understand how this works, read the original post by DSLReports user espaeth.
For another line of defense against such attacks, see the article Stop SOME SipVicious attacks from reaching your Asterisk, FreeSwitch, YATE, etc. PBX server.
3 thoughts on “A possible way to thwart SIP hack attempts on your Asterisk (or other) PBX server”
Ward Mundy, over at nerdvittles.com came up with a scrip-automated way to do something similar
The idea is that you whitelist all your known static IPs, then use dynamic DNS to have a FQDN for each dynamic IP; periodically check your list of dynamic FQDNs and their associated IPs; if one or more has changed, look them all up again, reload iptables. For a bad guy to even try to break in he’d have to be at one of the IPs one of your dynamic FQDNs had just moved away in, and he’d have to be able to break in within the periodic recheck time. Pretty unlikely if you have decent passwords.
Bob, I asked a friend to comment on this and this was his response:
Yeah, on re-read, I completely missed the point of this iptables bit – which is to only enable inbound requests that are to your FQDN.
Good idea, although at least some VOIP providers want an IP, not a FQDN. I think most of those are for the firewall that their end, but you might want to be sure to whitelist their IP blocks just in case.