Firewalling and Asterisk

Home » Asterisk Users » Firewalling and Asterisk
Asterisk Users 5 Comments

Forgive my ignorance on this as I am still fairly new to Asterisk.

I have noticed lately that there have been several attempts to hack our
Asterisk server. I see multiple attempts to log in with a particular
extension from the same IP address, perhaps hundreds of times per
second. It causes the overhead to spike to ~100%. It is more of a pain
in the ass than anything.
So far what I have been doing is adding a drop of this particular IP
address to my iptables configuration. This makes that particular one
stop and overhead drops back to normal.
What I would like to know is:

1. has anyone else seen this?
2. what is the best way of prevention?

We are awaiting our Cisco firewall, but I can implement a software
solution in the meantime (Shorewall).

So, I am wondering if anyone has a firewall/IP tables statement that
keep out unauthorised users? No one seems to get in as we use really
strong passwords. However, the attempts cause our Asterisk server to
grind almost to a halt. I cannot even connect with a SIP phone when this

Any words of wisdom for me?



5 thoughts on - Firewalling and Asterisk

  • 0) Read the list archives, this comes up weekly.

    1) Determine who (in terms of external IP addresses) should be allowed to
    connect to your server.

    2) Create a list of iptables commands to allow those IP addresses.

    3) Deny everybody else.

    4) Use ‘fail2ban’ or something similar to detect abusive addresses and
    block them, if only for an [hour|day|week] or so.

    Even if you have ‘mobile’ users who ‘need to connect from everywhere’ you
    can probably define ‘everywhere’ a bit better like ‘not from North Korea’
    or ‘not from Africa’ — with suitable apologies to readers from North
    Korea or Africa.

  • If you do a search on the list postings for the past yea,r and even in
    the past 2 weeks, you will find much discussion on this topic.
    Fail2Ban seems fairly effective
    Complex user names and passwords really help
    ( assuming your hack attempts are with SIP ) sipvicious is most likely
    the hackers tool of choice
    A couple of entries in your Sip general section will also help
    A default context that leads nowhere is advisable
    The attempt could only be the first of many to come, from different IP

    Google is your friend

    John Novack

    Silver Thorne wrote:


    if you already have an iptables configuration, the “throttle” section is
    important. if not, the iptables.init script can likely drop in place.

    if you only need north-american ip addresses to talk to your asterisk
    box, i suggest you also run the from cron every week.

  • +1 Jeremy – these scripts, for NA PBXes, are perfect (and even without the
    heavy handed blocking of the rest of the world, the iptables stuff is

    If I am digesting it correctly, this set of iptables rules does exactly
    what fail2ban would do, minus the logging, and without the overhead of a
    scripting language, correct?

    Love it!


  • Very similar to fail2ban, but not quite the same:
    * this’ll block hosts based on X authentication attempts (good OR bad)
    (fail2ban only counts bad attempts)
    * this cannot detect encrypted attempts (SIPS), fail2ban can