Hi,
For some time I’ve been looking for a simple way to protect my Asterisk SIP pbx against attacks from bots, scanners which scans and trying dialing to premium numbers. Opening SIP port to the internet causes that there was no one minute without suspect requests hitting my Asterisk. The log was full of that attempts.
While analyzing this problem I noticed that bots, scanners, attackers using everywhere IP address of my server to trying break it. While my proper clients using domain of my Asterisk server. If user is using domain name in his SIP client/phone,this domain is used in further communication on SIP protocol.
Below I will show example of INVITE (INVITE is using to establish VoIP call) SIP request from user using domain name (sip.example.com), and from user using IP address (10.10.10.10) of Asterisk server.
With domain:
|
1 2 3 4 5 6 7 8 9 |
INVITE sip:202@sip.example.com:5060 SIP/2.0 Accept: application/conference-info+xml, application/sdp, message/sipfrag, multipart/mixed Via: SIP/2.0/UDP 192.168.50.118:5071;branch=z9hG4bKe0aa06e32b6841d20.8df0298f12545d84a;rport Route: <sip:sip.example.com:5060;lr> Max-Forwards: 70 From: "107" <sip:107@sip.example.com:5060>;tag=d04f22eca5 To: <sip:202@sip.example.com:5060>;tag=as5bf765cf Call-ID: 01f0d32f2156bb22 CSeq: 1027520776 INVITE |
With IP address:
|
1 2 3 4 5 6 7 8 9 |
INVITE sip:202@10.10.10.10:5060 SIP/2.0 Accept: application/conference-info+xml, application/sdp, message/sipfrag, multipart/mixed Via: SIP/2.0/UDP 192.168.50.118:5071;branch=z9hG4bKe0aa06e32b6841d20.8df0298f12545d84a;rport Route: <sip:10.10.10.10:5060;lr> Max-Forwards: 70 From: "107" <sip:107@10.10.10.10:5060>;tag=d04f22eca5 To: <sip:202@10.10.10.10:5060>;tag=as5bf765cf Call-ID: 01f0d32f2156bb22 CSeq: 1027520776 INVITE |
Knowing that, I want to block requests to Asterisk server which are NOT contains my domain name. In this point I want to clarify that I have special subdomain for telephones. Bots, scanners, attackers are not knowing about this domain.
Blocking unwanted requests can be done by iptables rules with string matching.
|
1 2 3 4 5 6 7 8 9 10 |
# UDP port 5060 rule # Allow for currently established SIP connection iptables -A INPUT -i eth0 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow for packets witch contain my domain name iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "sip.example.com" --algo bm -j ACCEPT # Drop other packets (without my domain) iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP iptables -A INPUT -i eth0 -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP iptables -A INPUT -i eth0 -p udp --dport 5060 -j DROP |
|
1 2 3 4 5 6 7 8 9 |
# TCP port 5060 rule # Allow for packet which contain my domain name iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "sip.example.com" --algo bm -j ACCEPT # Block other SIP request like REGISTER INVITE OPTION if they not contain my domain name iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP iptables -A INPUT -i eth0 -p tcp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP # Allow to establish TCP connection and other packets then REGISTER INVITE OPTIONS (without domain) iptables -A INPUT -i eth0 -p tcp --dport 5060 -j ACCEPT |
After applying these rules, I did not see even one attack 🙂
At the and we can check increasing iptables counters:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
asterisk:~ # iptables -nvL Chain INPUT (policy ACCEPT 74700 packets, 24M bytes) pkts bytes target prot opt in out source destination 50 42859 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "sip.example.com" 14 10038 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "REGISTER sip:" 0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "INVITE sip:" 0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 STRING match "OPTIONS sip:" 685 215K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 51 32475 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 state RELATED,ESTABLISHED 2 1487 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "sip.example.com" 10 6930 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "REGISTER sip:" 0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "INVITE sip:" 4 1725 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match "OPTIONS sip:" 2 64 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 |