Protecting your Asterisk / FreePBX Server using a host Firewall
- Kelli Higdon
Rules for a Free PBX Host Server
IP Tables rules
Protect yourself by only opening required ports (and limit brute force attempts at authenticating)
-A INPUT -p udp -m multiport --dports 5060,5061 -m set --match-set fail2ban-ASTERISK src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 5060,5061 -m set --match-set fail2ban-ASTERISK src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m set --match-set voip_bl src -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p udp -m udp --dport 2727 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 5060:5061 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5060:5061 -j ACCEPT
-A INPUT -s known_external_proxy -p udp -m udp --dport 5060:5061 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name VOIP --rsource
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name VOIPINV --rsource
-A INPUT -p udp -m udp --dport 5060:5061 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5061 -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5061 -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p icmp -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 138 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5038 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 58080 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 55050 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 514 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j ACCEPT |
Note 1: Replace xxx.xxx.xxx.xxx/24 with your local network e.g. 192.168.1.0/24
Note 2: -s xxx.xxx.xxx.xxx/24 ensures that even if you open that port by mistake through your public router, it will be not respond to public hosts, and it will only respond to hosts on your intranet
Note 3: Opening 5060:5061 to the public is only necessary if you need to have clients connecting to your system from the internet. If you can avoid doing this (e.g. because all your clients are local desk phones, or use VPNs) remove all the 5060:5061 public access control and replace with just limiting access to your intranet instead:
-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5060 -j ACCEPTÂ |
Â
Port Names
Name | Port | Group |
|---|---|---|
sip | 5060 | VOIP |
sip-t | 5061 | VOIP |
netbios-ns | 137 | Samba |
netbios-dg | 138 | Samba |
netbios-ss | 139 | Samba |
microsoft-ds | 445 | Samba |
webmin | 10000 | webmin |
ssh | 22 | ssh |
http | 80 | web |
ntp | 123 | time |
https | 443 | web |
syslog | 514 | syslog |
iSymphony | 58080 | iSymphony |
iSymphony | 55050 | iSymphony |
Media Gateway Control Protocol | 2727 | MGCP |
Asterisk API | 5038 | Asterisk |
IAX2 | 4569 | Asterisk |
Fail 2 Ban
Protect yourself by preventing probes and brute force attacks
Install fail2ban and ipset on ubuntu
apt-get install fail2ban ipset
Â
The following are extensions of the original Fail2Ban with iptables and Asterisk, updated it to catch some extra port scans/ probes, and use ipset.
Please refer to that article for background notes.
Â
/etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban filter for asterisk authentication failures
#
[Definition]
__pid_re = (?:\[\d+\])
# All Asterisk log messages begin like this:
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' \(.*\) - (Wrong password|No matching peer found|Username\/auth name mismatch|Device does not match ACL|Peer is not supposed to register|ACL error \(permit\/deny\)|Not a local domain)$
        ^%(log_prefix)s Request from '[^']*' failed for '<HOST>(:\d+)?' \(.*\) - No matching endpoint found$
        ^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
        ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
        ^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
        ^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
        ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
        ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
        ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
        ^\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
ignoreregex =
Â
# Author: Xavier Devlamynck, extended by Graham Barnett |
Â
The following uses ipset rather than iptables as ipset is much faster and better
Â
VOIP Blacklist
Protect yourself by preventing known bad VOIP sources from trying to access your VOIP server
VoIPBL is a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's. Â Â Â Â
Please see VoIP Blacklist for how to install a block list of known bad ip addresses.
Â
Error rendering macro 'contentbylabel'
parameters should not be empty
Â