Protecting your Asterisk / FreePBX Server using a host Firewall

Rules for a Free PBX Host Server

IP Tables rules

Protect yourself by only opening required ports (and limit brute force attempts at authenticating)

-A INPUT -p udp -m multiport --dports 5060,5061 -m set --match-set fail2ban-ASTERISK src -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m multiport --dports 5060,5061 -m set --match-set fail2ban-ASTERISK src -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -m set --match-set voip_bl src -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT -A INPUT -p udp -m udp --dport 2727 -j ACCEPT -A INPUT -p udp -m udp --dport 4569 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 5060:5061 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5060:5061 -j ACCEPT -A INPUT -s known_external_proxy -p udp -m udp --dport 5060:5061 -j ACCEPT -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name VOIP --rsource -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --mask 255.255.255.255 --rsource -j DROP -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name VOIPINV --rsource -A INPUT -p udp -m udp --dport 5060:5061 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --mask 255.255.255.255 --rsource -j DROP -A INPUT -p tcp -m tcp --dport 5060:5061 -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT -A INPUT -p udp -m udp --dport 5060:5061 -m hashlimit --hashlimit-upto 6/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p icmp -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 137 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 138 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 139 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 445 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 123 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 123 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5038 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 58080 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 55050 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 514 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 514 -j ACCEPT -A INPUT -j DROP -A OUTPUT -j ACCEPT

Note 1: Replace xxx.xxx.xxx.xxx/24 with your local network e.g. 192.168.1.0/24

Note 2: -s xxx.xxx.xxx.xxx/24 ensures that even if you open that port by mistake through your public router, it will be not respond to public hosts, and it will only respond to hosts on your intranet

Note 3: Opening 5060:5061 to the public is only necessary if you need to have clients connecting to your system from the internet. If you can avoid doing this (e.g. because all your clients are local desk phones, or use VPNs) remove all the 5060:5061 public access control and replace with just limiting access to your intranet instead:

-A INPUT -s xxx.xxx.xxx.xxx/24 -p udp -m udp --dport 5060 -j ACCEPT -A INPUT -s xxx.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5060 -j ACCEPT 

 

Port Names

Name

Port

Group

Name

Port

Group

sip

5060

VOIP

sip-t

5061

VOIP

netbios-ns

137

Samba

netbios-dg

138

Samba

netbios-ss

139

Samba

microsoft-ds

445

Samba

webmin

10000

webmin

ssh

22

ssh

http

80

web

ntp

123

time

https

443

web

syslog

514

syslog

iSymphony

58080

iSymphony

iSymphony

55050

iSymphony

Media Gateway Control Protocol

2727

MGCP

Asterisk API

5038

Asterisk

IAX2

4569

Asterisk

Fail 2 Ban

Protect yourself by preventing probes and brute force attacks

Install fail2ban and ipset on ubuntu

apt-get install fail2ban ipset

 

The following are extensions of the original Fail2Ban with iptables and Asterisk, updated it to catch some extra port scans/ probes, and use ipset.

Please refer to that article for background notes.

 

/etc/fail2ban/filter.d/asterisk.conf

# Fail2Ban filter for asterisk authentication failures # [Definition] __pid_re = (?:\[\d+\]) # All Asterisk log messages begin like this: log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d* failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' \(.*\) - (Wrong password|No matching peer found|Username\/auth name mismatch|Device does not match ACL|Peer is not supposed to register|ACL error \(permit\/deny\)|Not a local domain)$         ^%(log_prefix)s Request from '[^']*' failed for '<HOST>(:\d+)?' \(.*\) - No matching endpoint found$         ^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$         ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$         ^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$         ^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$         ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$         ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$         ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$         ^\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? Ext\. s: "Rejecting unknown SIP connection from <HOST>"$ ignoreregex =   # Author: Xavier Devlamynck, extended by Graham Barnett

 

The following uses ipset rather than iptables as ipset is much faster and better

 

VOIP Blacklist

Protect yourself by preventing known bad VOIP sources from trying to access your VOIP server

VoIPBL is a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's.       

Please see VoIP Blacklist for how to install a block list of known bad ip addresses.

 

Error rendering macro 'contentbylabel'

parameters should not be empty

 

Unable to render {include} The included page could not be found.