Skip to content

Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct

Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct published on 3 Comments on Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct

Hi,

For some time I’ve been looking for a simple way to protect my Asterisk SIP pbx against attacks from bots, scanners which scans and trying dialing to premium numbers. Opening SIP port to the internet causes that there was no one minute without suspect requests hitting my Asterisk. The log was full of that attempts.

While analyzing this problem I noticed that bots, scanners, attackers using everywhere IP address of my server to trying break it. While my proper clients using domain of my Asterisk server. If user is using domain name in his SIP client/phone,this domain is used in further communication on SIP protocol.

Below I will show example of INVITE (INVITE is using to establish VoIP call) SIP request from user using domain name (sip.example.com), and from user using IP address (10.10.10.10) of Asterisk server.

With domain:

With IP address:

Knowing that, I want to block requests to Asterisk server which are NOT contains my domain name. In this point I want to clarify that I have special subdomain for telephones. Bots, scanners, attackers are not knowing about this domain.
Blocking unwanted requests can be done by iptables rules with string matching.

Differences between rules result from different approach between TCP and UDP protocols when establishing a connection. TCP need to do three way handshake to establish connection, UDP not doing this.

After applying these rules, I did not see even one attack 🙂
At the and we can check increasing iptables counters:

3 Comments

Hi Jan,
I implemented the rules for SIP over UDP. Almost everything works, but I have problems receiving INVITEs from DID providers (i.e., from servers on which my Asterisk is REGISTER’d). Did you assume that the rule for state “ESTABLISHED,RELATED” would catch them? In my case, it does not.

Hi Enzo,
Could you record INVITE packets from your SIP trunks (DID providers)? You can do it with tcpdump, example:
tcpdump -vvv -i eth0 -p udp and port 5060 -s 0 -A

Probably INVITES packets from SIP trunks, not contains yours domain name. But as you mentioned it should be catch by “ESTABLISHED,RELATED -j ACCEPT” rule.

I suspect that the connections entries in the conntrack table are expiring too fast in your case.
UDP connections are kept for short time in the conntrack table. On my machine with default kernel settings it only 180 seconds:

router:~ # cat /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream
180

I think you can solve this problem by configure asterisk to sending keepalives packets in your sip trunks. Option qualify=yes in trunk configuration do that. This should refreshing udp timeout for conntrack entry, connection to yours sip trunk should not expiring from conntrack table and then rule “ESTABLISHED,RELATED” should work properly 🙂

Hi Jan,

Yes, you are right: the “qualify=yes” does the trick. And the nf_conntrack_udp_timeout_stream is 180 also in my system. Pity Asterisk doesn’t allow to send simple keep-alive packets (CRLF/CRLF) as per RFC 6223 section 4.1, so I have to bother the peers with heavier Options requests.

I had provisionally solved the problem by adding ACCEPT rules for the domains referenced in the “From:” header of the INVITEs, but that’s obviously an inferior solution because those domains are relatively well-known, also by hackers who might use them to mount scanning attacks.

Thanks,

Enzo

Leave a Reply

Your email address will not be published. Required fields are marked *