James, thank you for this script. Over the last week or so I have been
repeatedly hit by attempted fraudulent calls so I decided to implement a
script similar to yours. I decided to be a little more generous than
you... giving the caller one attempt to get it right before blocking their
IP address. So I only block if two calls from the same IP within 60
seconds are invalid. I also found that if you add the IP to the firewall
before you play the message, then the message will not be heard, so I
needed to modify your script to take care of that as well. Also, I don't
persist blocks between reboots/restarts... but I do keep a record of the IP
in the AstDB.
Here is what I ended up with...
[default]
exten => _X.,1,Goto(reject-invalid,${EXTEN},1)
exten => h,1,Hangup()
[reject-invalid]
; Tell caller that number dialed is invalid.
; If same IP address makes two invalid calls within 60 seconds then block
their IP
exten => _X.,1,Set(BANNOW=0)
same => n,Wait(1)
same => n,Answer()
same => n,Set(BANIP=${SIPCHANINFO(recvip)})
same => n,Log(WARNING,Attempted invalid call to ${EXTEN} from ${BANIP})
same => n,GotoIf(${DB_EXISTS(banip/${BANIP})}?found)
; This is a new IP address not seen before. Remember it.
same => n(reject),Set(DB(banip/${BANIP})=${EPOCH})
same => n,Zapateller()
same => n,Playback(the-number-u-dialed)
same => n,SayDigits(${EXTEN})
same => n,Playback(has-been-disconnected&or&no-longer-in-service)
same => n,Playback(check-number-dial-again)
same => n,Congestion(5)
; Need to wait until after message played to add IP to firewall block. Else
caller will not hear message.
same => n,ExecIf($[${BANNOW}]?System(iptables -A ADAPTIVE_BAN_CHAIN -p
udp -s ${BANIP} -j ADAPTIVE_BAN_DROP_CHAIN))
same => n,Hangup()
; This IP has been seen before. See if within 60 seconds of previous
attempt.
same => n(found),Set(BANNOW=$[${MATH(${EPOCH}-${DB_RESULT},i)} < 60])
same => n,GoTo(reject)
; If caller hangs up before message completes, add IP to firewall block if
necessary.
exten => h,1,ExecIf($[${BANNOW}]?System(iptables -A ADAPTIVE_BAN_CHAIN -p
udp -s ${BANIP} -j ADAPTIVE_BAN_DROP_CHAIN))
same => n,Hangup()
On Sun, Mar 4, 2012 at 10:13 AM, James Babiak <ja...@routed.com> wrote:
> **
> As with any service exposed to the Internet on an open port, you will be
> scanned/poked/prodded/etc. all the time. With VoIP becoming ever more
> prominent in homes and businesses, which have a tendency to be
> mis-configured and vulnerable, it will only get worse. You have a few
> options to try and mitigate this:
>
> 1) Ensure that the service is as secure as possible (ie: kept up to
> date/patched), utilize strong passwords and make sure that your dialplan
> can't be circumvented.
> 2) Setup firewall rules to only permit traffic to be accepted on those
> ports from known/trusted hosts. If you don't have a need for remote hosts
> to connect to your box on UDP5060, you can block it from being accessible.
> 3) Assuming you control the remote devices, you can try changing the port
> to something less common.
> 4) Configure your box with a script/program, or utilize the Asterisk
> dialplan, to function as a VoIP IDS/IPS system. This is what I do. If a
> call comes into the default context and goes to an invalid extension, it
> will immediately blacklist the host from being able to attempt to connect
> in the future. So unless the call comes in under one of the DIDs I own, or
> a pre-configured destination (ie: james@, conf@, etc.), the caller will
> be blacklisted. The last part of my dialplan for that context is:
> exten => _X.,1,Progress()
> exten => _X.,n,Gosub(store-cid,s,1)
> exten => _X.,n,Set(CDR(userfield)=${EXTEN})
> exten => _X.,n,Notify(${CALLERID(num)}|${CALLERID(name)}|${EXTEN}0/
> 172.20.0.100)
> exten => _X.,n,Wait(1)
> exten => _X.,n,Answer()
> exten => _X.,n,Set(BANIP=${SIPCHANINFO(recvip)})
> exten => _X.,n,NoOp(IP is ${BANIP})
> exten => _X.,n,System(echo ${BANIP} >> /mnt/kd/banlist)
> exten => _X.,n,System(iptables -A ADAPTIVE_BAN_CHAIN -p udp -s ${BANIP} -j
> ADAPTIVE_BAN_DROP_CHAIN)
> exten => _X.,n,Zapateller()
> exten => _X.,n,Playback(the-number-u-dialed)
> exten => _X.,n,SayDigits(${EXTEN})
> exten => _X.,n,Playback(has-been-disconnected&or&no-longer-in-service)
> exten => _X.,n,Playback(check-number-dial-again)
> exten => _X.,n,Congestion(5)
> exten => _X.,n,Hangup()
>
> It will immediately add an iptables rule to block udp traffic from that
> host, as well as add them into a list (which gets processed by a start-up
> script) to add them back in after a reboot. After about a year, I have 157
> entries in this list. While it doesn't prevent the initial pass of an
> attack, it ensures that they never get another wack at it, at least from
> the same IP. Since 99% of these attacks are automated and scripted, as
> opposed to a manual and dedicated direct attack, it will take care of
> eliminating all but the most serious attacker. Since my dialplan is already
> locked down pretty tightly, the scans themselves would never actually
> successfully place a call, but it helps keep my logs/cdrs looking clean.
>
> Since the attacker is trying to place calls to (and through) your box, as
> opposed to trying to register as a peer, the adaptive ban plugin won't
> catch it. I do use that as well, but for the account scanners, which seems
> to be fairly rare in comparison to the former.
>
> -James
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
