Hello, I'm looking for some advice on securing Asterisk. Recently my servers been under several brute-force SIP attacks. I have several remote sites, as well as many roaming users, who may have PC softclients and/or SIP based hardphones. My first step will be to strengthen the passwords in use, and for the hardphones to restrict by IP address, but that still leaves the softphone quite widely open. Does Asterisk 1.6 have anything in it that can automatically block out an attacking IP, say if it receives several 20 or so failed attempts from that IP in x minutes? I haven't looked at Secure SIP in quite a while, is that now integrated into 1.6 ? One thing that's confusing me in my config, is that I thought that if I set NAT=no in sip.conf, then I wouldn't be able to connect to that SIP account unless I was on the local LAN, specified by locallan= However in some testing, I'm finding that I can still connect from an external SIP client. Also, I tried setting one SIP account from host=dynamic to host=<ipaddr>, and when that client tried to register, then Asterisk complained that the account wasn't supposed to be trying to register. My next step is also to upgrade my Asterisk itself up to the latest stable 1.6 Any other suggestions? Thanks, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100319/1265f8aa/attachment.htm
On Fri, 19 Mar 2010, Adrian Marsh wrote:> I?m looking for some advice on securing Asterisk. > > My first step will be to strengthen the passwords in use, and for the > hardphones to restrict by IP address, but that still leaves the > softphone quite widely open.Asterisk doesn't differentiate between a hard phone and a soft phone. You can restrict by IP address for soft phones as well.> Does Asterisk 1.6 have anything in it that can automatically block out > an attacking IP, say if it receives several 20 or so failed attempts > from that IP in x minutes?I'm a 1.2 Luddite, so I can't speak for 1.6. I think any "brute force" or DOS security policy needs to be implemented external to Asterisk. I don't think there are any AMI events you could listen to. I think you are limited to what you can scrounge out of a log file. How about setting up a couple of "honey-pot" SIP accounts with obvious passwords and in the context fire off a user event? Then you could listen for the event via AMI.> Any other suggestions?Repost with a meaningful subject -- a blank subject labels you as a newbie who is probably not worth the time of members with relevant experience. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000
On 19/03/10 1:19 PM, Adrian Marsh wrote:> Hello, > > I?m looking for some advice on securing Asterisk.Have a look at fail2ban: http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk -- Cheers, Matt Riddell Managing Director _______________________________________________ http://www.venturevoip.com/news.php (Daily Asterisk News) http://www.venturevoip.com/exchange.php (Full ITSP Solution) http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer)
Fail2ban is a must. I was a victim of such attacks, and have implemented some other measures too, but fail2ban is a must have with the link posted by Matt which describes how to set it up for asterisk. Make sure you put your own ip address in ignore list otherwise it can block you too. On 2010-03-18 8:45 PM, "Matt Riddell" <lists at venturevoip.com> wrote: On 19/03/10 1:19 PM, Adrian Marsh wrote:> Hello, > > I?m looking for some advice on securing Asteri...Have a look at fail2ban: http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk -- Cheers, Matt Riddell Managing Director _______________________________________________ http://www.venturevoip.com/news.php (Daily Asterisk News) http://www.venturevoip.com/exchange.php (Full ITSP Solution) http://www.venturevoip.com/st.php (SmoothTorque Predictive Dialer) -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100318/28ea8242/attachment.htm
Zeeshan Zakaria
2010-Mar-19 03:05 UTC
[asterisk-users] Better SIP security please! Was: (no subject)
Philipp, remembering sip user agent is a wondeful idea, and if you goggle it, somebody had made a patch for it, so that one could identify sip devices by their sip user agent names. Surprisingly the decision makers didn't like to put it in the production branch of asterisk at that time, however it is still avialble online somewhere as a patch for older releases of asterisk. I came across it when hackers where attacking my server on constant basis. I however ended up writing a security code within the dialplan to catch the sip user agent fields and ip addresses and compare them with info in the actual user database, which worked good for me. Here the only problem could be with change of sip user agent info, e.g. x-lite puts version number in sip user agent field, which changes as you upgrade it to newer versions. A relatively more complicated code probably will however recognize it. And a hacker can always send a fake sip user agent field if he is really desparate to hack your server, which can also be caught using fail2ban. On 2010-03-18 10:45 PM, "Philipp von Klitzing" < klitzing at pool.informatik.rwth-aachen.de> wrote: Hey hey!> > My first step will be to strengthen the passwords in use, and for the > > hardphones to restrict by IP address, but that still leaves the > > softphone quite widely open. > > Asterisk doesn't differentiate between a hard phone and a soft phone.Although: One could think about enhancing Asterisk security by allowing only a (number of) specific SIP user agent header (vendor, model) for a SIP account - next to a strong password, of course. Or implement something more dynamic like: Read and lock the current (or first) user agent string, and then ping the admin if that changes and request an un- lock/re-auth.> > Does Asterisk 1.6 have anything in it that can automatically block out > > an attacking IP, say if it receives several 20 or so failed attempts > > from that IP in x minutes?It would still be important to have a sip.conf paramter in 1.4 that is similar to "delayreject" in iax.conf! One of my system has been scanned 3 times in the past days, and it takes just a little over a minute for a 10.000 account registration scan. Philipp -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100318/7abdc607/attachment.htm
On Fri, Mar 19, 2010 at 3:13 AM, Zeeshan Zakaria <zishanov at gmail.com> wrote:> Fail2ban is a must. I was a victim of such attacks, and have implemented > some other measures too, but fail2ban is a must have with the link posted by > Matt which describes how to set it up for asterisk. Make sure you put your > own ip address in ignore list otherwise it can block you too.You may also consider to use BFD (Brute Force Detection) [1] as your tool for log analysis. We have a detailed tutorial [2] on how to install and configure BFD, using Asterisk rules [3] for SIP and IAX protocols. Our approach is not to use iptables but to block the communication with the attacker using "route del -host $ATTACK_HOST reject". To unban a specific IP we will use a manual command like "route del -host $ATTACK_HOST reject". This is not probably not the best method but it works for us till now. Best regards, Ioan. [1] - http://www.rfxn.com/projects/brute-force-detection/ [2] - http://www.modulo.ro/Modulo/ro/Articole/Securitate_pentru_servere_Asterisk.html [3] - http://www.modulo.ro/Modulo/downloads/tools/tenora.bfd.tar.gz
Gavin Henry
2010-Mar-21 22:32 UTC
[asterisk-users] Better SIP security please! Was: (no subject)
Has anyone done this with OpenSIPS? For example where it fronts an Asterisk cluster with the load balancer module? Thanks, Gavin. On 19/03/2010, Ryan Bullock <rrb3942 at gmail.com> wrote:>> >> Hey Philipp, >> > > You can check out > http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk for > setting up from brute force detection and blocking with asterisk. There are > also a link at the bottom about rate limiting registrations via iptables. >-- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com