Skip to content

Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct

Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct published on 14 Comments on Securing Asterisk SIP PBX by simple iptables rule checking if the domain is correct

Hi,

For some time I’ve been looking for a simple way to protect my Asterisk SIP pbx against attacks from bots, scanners which scans and trying dialing to premium numbers. Opening SIP port to the internet causes that there was no one minute without suspect requests hitting my Asterisk. The log was full of that attempts.

While analyzing this problem I noticed that bots, scanners, attackers using everywhere IP address of my server to trying break it. While my proper clients using domain of my Asterisk server. If user is using domain name in his SIP client/phone,this domain is used in further communication on SIP protocol.

Below I will show example of INVITE (INVITE is using to establish VoIP call) SIP request from user using domain name (sip.example.com), and from user using IP address (10.10.10.10) of Asterisk server.

With domain:

With IP address:

Knowing that, I want to block requests to Asterisk server which are NOT contains my domain name. In this point I want to clarify that I have special subdomain for telephones. Bots, scanners, attackers are not knowing about this domain.
Blocking unwanted requests can be done by iptables rules with string matching.

Differences between rules result from different approach between TCP and UDP protocols when establishing a connection. TCP need to do three way handshake to establish connection, UDP not doing this.

After applying these rules, I did not see even one attack 🙂
At the and we can check increasing iptables counters:

Securing ssh by iptables rules

Securing ssh by iptables rules published on 3 Comments on Securing ssh by iptables rules

I secured my ssh server in simple way – with iptables rules which will be blocking attackers. I setup my iptables in such way, that it is allowing only one tcp syn packet to ssh port per minute from one ip address. With aditional configuration of sshd daemon the rules will allowing for once login attempt per hour.
iptables rules:

After we reaches this one new connection per hour, the hashlimit-htable-expire rule starts to counting 60 minutes (3600000ms). In this time you can not connect again to ssh.

MaxAuthTries in /etc/ssh/sshd_config – this is important, with this, sshd will be closing ssh connections after authentication failure, thus attacker will have to create new ssh connection (and tcp connection) to try again. This fact (new syn packet) will by noticed by iptables.

If you use only public key authentication, you can set MaxAuthTries to 1 because this is first authentication method provided by OpenSSH server, also ssh clients firstly tries authenticate through public key. Other authentication methods are on further places.

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey

With MaxAuthTries set to 1 only fist authentication method will work –  usually publickey.

You can check the blocked addresses:

This rules very limited strength of attacks on my ssh.

Please test this first with another server access!