Firewalling and Asterisk

Home » Asterisk Users » Firewalling and Asterisk
Asterisk Users 5 Comments

Forgive my ignorance on this as I am still fairly new to Asterisk.

I have noticed lately that there have been several attempts to hack our
Asterisk server. I see multiple attempts to log in with a particular
extension from the same IP address, perhaps hundreds of times per
second. It causes the overhead to spike to ~100%. It is more of a pain
in the ass than anything.
So far what I have been doing is adding a drop of this particular IP
address to my iptables configuration. This makes that particular one
stop and overhead drops back to normal.
What I would like to know is:

1. has anyone else seen this?
2. what is the best way of prevention?

We are awaiting our Cisco firewall, but I can implement a software
solution in the meantime (Shorewall).

So, I am wondering if anyone has a firewall/IP tables statement that
keep out unauthorised users? No one seems to get in as we use really
strong passwords. However, the attempts cause our Asterisk server to
grind almost to a halt. I cannot even connect with a SIP phone when this
happens.

Any words of wisdom for me?

Thanks!

Glen

5 thoughts on - Firewalling and Asterisk

  • 0) Read the list archives, this comes up weekly.

    1) Determine who (in terms of external IP addresses) should be allowed to
    connect to your server.

    2) Create a list of iptables commands to allow those IP addresses.

    3) Deny everybody else.

    4) Use ‘fail2ban’ or something similar to detect abusive addresses and
    block them, if only for an [hour|day|week] or so.

    Even if you have ‘mobile’ users who ‘need to connect from everywhere’ you
    can probably define ‘everywhere’ a bit better like ‘not from North Korea’
    or ‘not from Africa’ — with suitable apologies to readers from North
    Korea or Africa.

  • If you do a search on the list postings for the past yea,r and even in
    the past 2 weeks, you will find much discussion on this topic.
    Fail2Ban seems fairly effective
    Complex user names and passwords really help
    ( assuming your hack attempts are with SIP ) sipvicious is most likely
    the hackers tool of choice
    A couple of entries in your Sip general section will also help
    A default context that leads nowhere is advisable
    The attempt could only be the first of many to come, from different IP
    addresses

    Google is your friend

    John Novack

    Silver Thorne wrote:

  • http://jeremy.kister.net/code/iptables/

    if you already have an iptables configuration, the “throttle” section is
    important. if not, the iptables.init script can likely drop in place.

    if you only need north-american ip addresses to talk to your asterisk
    box, i suggest you also run the make-non-na.pl from cron every week.

  • +1 Jeremy – these scripts, for NA PBXes, are perfect (and even without the
    heavy handed blocking of the rest of the world, the iptables stuff is
    invaluable).

    If I am digesting it correctly, this set of iptables rules does exactly
    what fail2ban would do, minus the logging, and without the overhead of a
    scripting language, correct?

    Love it!

    j

  • Very similar to fail2ban, but not quite the same:
    * this’ll block hosts based on X authentication attempts (good OR bad)
    (fail2ban only counts bad attempts)
    * this cannot detect encrypted attempts (SIPS), fail2ban can