Philip and Cleve,
Thank you for your comments and suggestions.
I would agree there are many useful ways to block a successful dictionary
attack - presuming everything is working properly and configured correctly.
Unfortunately, the uninvited port 5060 traffic makes me wonder if that's a safe
presumption - at least with my present setup.
I'll continue tinkering and share any findings.
Cordially,
Dan
-----Original Message-----
From: "Cleve Jansen" <clev...@gmail.com>
Sent: Wednesday, October 13, 2010 7:45pm
To: "'AstLinux Users Mailing List'" <astlinux-users@lists.sourceforge.net>
Subject: Re: [Astlinux-users] Firewall Question
Dan,
What you are seeing is sip hacking where they have run a scan on your ip and
found port 5060 open, so they are trying to attempt to register a sip device
on your setup so they could make very expensive calls.
I know Astlinux does not support this but in my normal installs I use
fail2ban plus CSF (Config system firewall) which keeps this sort of thing
away as it on the rise, if you do a search on google for "sip hacking" you
will find some interesting information.
What I would do in your case as you have a remote extension, is this
extension on a static ip if so you could add the following to that
extension.
Example
deny=0.0.0.0/0.0.0.0
permit=your.remote.static.ip/255.255.255.0
Additionally in sip.conf you can add the following too, sometimes if the
remote extension is not on a static ip I use this.
alwaysauthreject=yes
allowguest=no
The above is a few things I implement and also a few others where I cannot
add fail2ban or CSF.
Hope this helps..
Good Luck!!
Cleve
-----Original Message-----
From: Dan Ryson [mailto:d...@ryson.org]
Sent: Thursday, 14 October 2010 9:02 AM
To: astlinux-users@lists.sourceforge.net
Subject: Re: [Astlinux-users] Firewall Question
On 10/13/2010 3:34 PM, Philip Prindeville wrote:
> On 10/13/10 7:44 AM, Lonnie Abelbeck wrote:
>> On Oct 13, 2010, at 9:15 AM, Dan Ryson wrote:
>>
>>> All,
>>>
>>> I wonder if I may, once again, ask for your help.
>>>
>>> Using the GUI to configure the firewall, my intent was to open only one
>>> "Source IP" to port 5060, for an off-site IP phone. I'm depending on
>>> frequent& regular registration traffic to keep port 5060 open to
>>> providers. Despite this, I see the occasional registration attempt from
>>> elsewhere, as shown below.
>>>
>>> Oct 13 04:23:36 sip local0.notice asterisk[2776]: NOTICE[2776]:
chan_sip.c:16474 in handle_request_register: Registration from
'"1010161682"<sip:1010161...@169.25.161.29>' failed for '140.117.176.226' -
No matching peer found
>>>
>>>
>>> So, with all other source IPs closed to port 5060, how might a
>>> registration request from '140.117.176.226' be reaching Asterisk?
>>>
>>> The only thing that looked a bit suspicious in iptables, is this:
>>>
>>> Chain EXT_INPUT_CHAIN (2 references)
>>> target prot opt source destination
>>> ACCEPT udp -- anywhere anywhere udp
dpts:5060:5080
>>>
>>>
>>> However, it looks like the above is merely the result of settings in the
>>> SIP-VOIP plugin, which specifies ports 5060:5080. When disabling
>>> SIP-VOIP, the above entry goes away.
>>>
>>> Your thoughts?
>>>
>>> Thanks for considering my question.
>>>
>>> Dan
>> Don't enable the sip-voip plugin. :-)
>>
>> The sip-voip plugin may have it's place, (it basically automatically
opens the RTP voice ports) but I personally don't enable it.
>>
>> So, if you disable the sip-voip plugin you will need to allow a UDP range
matching your asterisk rtp.conf range. (make it smaller than the default)
>>
>> Or, keep the sip-voip plugin enabled and also enable the adaptive-ban
plugin to ban the attack probes.
>>
>> Lonnie
>>
>> PS: A better long term solution would be to add a SIP_VOIP_SOURCE="0/0"
variable to the sip-voip plugin, so you can limit by the source address...
I'll try to get that in the next version of AIF.
> That would be redundant.
>
> There's already a generic way to limit UDP traffic to the firewall.
Adding a second method to do the same would create ambiguity and confusion.
>
> All the sip plugin does--all it's supposed to do--is maintain a NAT hole
for the SDP (media) stream open based on the information it sees in the SIP
transactions (since the SDP endpoints talk to each other, but the SIP stream
goes through one or more intermediaries).
>
> Given the asymmetry of SIP to SDP, you can't have SDP maintain its own
associations in NAT, especially not if you use short timers and VAD or
muting.
>
> The SIP plugin is a hook for a NAT helper. Period. It doesn't do access
control because it doesn't need to.
>
> Dan: I'd try using $HOST_OPEN_UDP. The interface is your $EXTIF. The
source-ip is whatever source address you want, the destination port is 5060.
>
> Also, in sip-voip.conf, set:
>
> SIP_VOIP_PORTS="5060"
>
> You only need addition ports if your Asterisk is listening on alternate
ports, which it probably isn't.
>
> Lonnie: I might have stepped out of Astlinux, but not from AIF. Please
don't be modifying my plugins without my consent.
>
> -Philip
Hello Philip,
Thank you for the explanation regarding the sip plugin.
Just for some background, the problem I'm trying to solve relates to
uninvited SIP traffic that I'm having difficulty explaining.
Adaptive-ban kills off any uninvited guests in a short time but I would
prefer the firewall to be my first line of defense - and have
adaptive-ban serve as a safety-net. Perhaps that's not the best
approach. I hope you (and anyone else who may wish to chime in) won't
hesitate to correct me if you disagree.
At present, only a single IP phone, which is on a fixed IP, needs access
to Asterisk, so I've opened only port 5060 for that distant, fixed
address. I'm also using a route-able IP address on the AstLinux WAN
port so I'm not sure that I'll need any help with NAT.
Since much of this is over my head, I'm not certain how to troubleshoot
this apparent problem. Therefore, I'm thankful that you and Lonnie have
both volunteered to help me solve this problem. Please consider that
there's a good chance I've fat-fingered something and caused the
troubles myself.
With kind regards,
Dan
----------------------------------------------------------------------------
--
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
