I run a asterisk server and I like to lock the ports
tcp 5060
udp 5060, 10000-20000
to my different sip providers ip address I do not see any place I can restrict these ports to the source ip
so the regular sip attacking starts random extension numbers being attacked. I have a fail2ban script that stops then but I want to restrict it completely.
how do I do this.
I noted a pre set sip part in the firewall but I did not use it because I felt it only (maybe I am wrong) did the port 5060-5061 in udp not tcp and was not sure about the rtp for sip (there was something for rtp but was not sure if it was the sip rtp.
With out this my asterisk server gets banged on all day and night by folks trying to get in.
tcp 5060
udp 5060, 10000-20000
to my different sip providers ip address I do not see any place I can restrict these ports to the source ip
so the regular sip attacking starts random extension numbers being attacked. I have a fail2ban script that stops then but I want to restrict it completely.
how do I do this.
I noted a pre set sip part in the firewall but I did not use it because I felt it only (maybe I am wrong) did the port 5060-5061 in udp not tcp and was not sure about the rtp for sip (there was something for rtp but was not sure if it was the sip rtp.
With out this my asterisk server gets banged on all day and night by folks trying to get in.
Share this post:
Responses (6)
-
Accepted Answer
-
Accepted Answer
You should be able to do more or less what is in your links. You can do -m string ..." but you must specify an algorithm. You can try the hashlimit.
You need to be aware of some things.
INPUT rules are for traffic destined for ClearOS, so if ClearOS were running your SIP software. FORWARD rules are for traffic passind through ClearOS from LAN to WAN or WAN to LAN. This is why the INPUT rules did noting for you.
Rule ordering is important. If you look at a firewall listing ("iptables -nvL") then rules in each chain are processed from top to bottom and rule processing stops when the first match is made (apart from a few exceptions such as -j LOG). This is why I inserted the drop rules before the accept rules as the insert command inserts into the top of the table. The first rule in your custom rules gets added at the top then the second gets added at the top so above the first and so on. To add to the bottom use -A instead of -I.
I do not know KVM set ups. I have a play VM but it is really noddy with NAT'd LAN and WAN interfaces rather than bridged. -
Accepted Answer
My DSL isp ip range does not get a ton of action so I am still awaiting not seen anything yet. was not sure if I was to use ppp0 but when I looked I was unable to see what my device is. note I am running this in a hypervisor (KVM)
I Have 4 network ports and am unsure how to get a shell up so I could ipconfig or ip addr show
in the ip address section all it showed was ppp0 so thats what I used.
Since this router allows direct iptable rules does it support hashlimit It would be nice to do iptables -A INPUT -m string --string "REGISTER sip:" and have a limit on it
I am looking at this for reference
https://wiki.freeswitch.org/wiki/QoS
and this one seems to list allot of the common scanner names.
http://ithelpblog.com/voice/prevent-or-deny-sip-dos-attack-sip-scanner-by-iptables-firewall/ -
Accepted Answer
-
Accepted Answer
must not be working I tried what you said went to custom firewall added the rules for the two ip address . My voip provider is voip.ms they list there servers separately they are not doing any srv dns stuff and are very open about what server is what and they have servers all over for less lag .
I added in the rules in the morning and waited just got my first hit..
[2014-11-27 20:59:51] NOTICE[27196] chan_sip.c: Registration from '"100" <sip:100@23.91.135.136:5060>' failed for '37.75.209.87:11537' - Wrong password
[2014-11-27 20:59:52] NOTICE[27196] chan_sip.c: Registration from '"298" <sip:298@23.91.135.136:5060>' failed for '37.75.209.87:11525' - Wrong password
here is the rules I added
iptables -I INPUT -i ppp0 -p tcp --dport 5060 -m state --state NEW -j DROP
iptables -I INPUT -i ppp0 -p udp -m multiport --dports 5060,10000:20000 -m state --state NEW -j DROP
iptables -I INPUT -i ppp0 -s 1xx.xxx.xxx.xx1 -p tcp --dport 5060 -j ACCEPT
iptables -I INPUT -i ppp0 -s 1xx.xxx.xxx.xx1 -p udp -m multiport --dports 5060,10000:20000 -j ACCEPT
iptables -I INPUT -i ppp0 -s 2xx.xxx.xxx.xx2 -p tcp --dport 5060 -j ACCEPT
iptables -I INPUT -i ppp0 -s 2xx.xxx.xxx.xx2 -p udp -m multiport --dports 5060,10000:20000 -j ACCEPT
technically I do not want anything to get in is it because I have rules allowing access to the ports in the port forwarding part?
it would be nice to have a way to port forward that allows me to restrict in the web interface to the source
Only other worry is is this natting properly seems to work.. but then again does not seem to be restricted at all.
So i have dsiabled the port forwards for the 5060 in sip , udp and tcp (I made two forwards, i left rtp ports alone) it seems to work I guess will have to wait to see if anyone can get in I do not get alot of action but I get hit ever week at least.. so now to wait I guess. -
Accepted Answer
Unless your SIP provider uses a single address range for his IP's you are going to need to run multiple rules, one for each IP address or range. Also is Asterisk running on ClearOS or on a server behind ClearOS? It changes the rules required. If it is running on ClearOS, try:
Change ethX to your WAN interface. Repeat the last two rules as often as needed. If your SIP provider uses an address block you can specify it in CIDR form as the source IP. Check the rules at the command line first then if they work add them to the custom firewall module or /etc/clearos/firewall.d/local. I am not sure you need the "-m state --state NEW" but it won't harm.iptables -I INPUT -i ethX -p tcp --dport 5060 -m state --state NEW -j DROP
iptables -I INPUT -i ethX -p udp -m multiport --dports 5060,10000:20000 -m state --state NEW -j DROP
iptables -I INPUT -i ethX -s your_sip_provider_IP -p tcp --dport 5060 -j ACCEPT
iptables -I INPUT -i ethX -s your_sip_provider_IP -p udp -m multiport --dports 5060,10000:20000 -j ACCEPT
Rule ordering is important with the block rules going at the top of the list. They get added to iptables in that order so, if you then do an iptables listing the drop rules will ed up below the accept rules.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »