Hi guys, I've followed this discussion about VoIP security closely as I have my home box open to the world (SIP, SSH is opened on another box). Since I have a few extensions in South America and want to be able to connect from any box/anywhere, my approach to this was to:
1) SSH (obviously having a strong password set, and root login disabled): limit ssh connections to no more than 3 for 30 minutes, which gives me the flexibility to connect from anywhere and stops the scanners out there, since it will be really hard for them to break a password at this speed. This is how I set it up in iptables: # SSH [0:0] -A INPUT -i eth0 -s 10.1.1.0/24 -p tcp --dport 22 -j ACCEPT [0:0] -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH [0:0] -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 1800 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_scan " [0:0] -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 18000 --hitcount 4 --rttl --name SSH -j DROP [0:0] -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT 2) Return 404's for bad password (instead of 401), therefore making anyone scanning SIP extensions think you don't have any available (and again, strong passwords for SIP extensions): in /etc/asterisk/sip_general_custom.conf add: ;Secure against SIP brute-force attacks ;alwaysauthreject=no ;default returns 401 for bad pass and 404 for unknown extension alwaysauthreject=yes I know this is not perfect, but has worked so far. It drastically reduced the number of scans, and they now only loop through once and give up. Rafael On Sat, Aug 28, 2010 at 2:17 AM, Reza - Asterisk Consultant < [email protected]> wrote: > I've been following some of the hacking posts. To advise - this sort > of Asterisk hack attempts and brute force attacks (both SSH, but > specially SIP 5060) are on the rise. We deployed 4 test servers with > unique IP addresses over the past 7 days, with 2 production servers > (fortunately with IP Table rules and Fail2Ban implemented). Within > literally couple of hours from the machines going up - we immediately > encountered brute force friendly-scanner type SIP attacks. > > There was one particular IP address, originating from France dedicated > server hosting company (www.ovh.fr) which was causing me about 10 MB > of traffic per minute of pure sip brute force. Most attacks stop > after they observe their IP has been banned, but this was being > particularly stubborn. In about 24hrs and after about 10 gigabytes > of IPTABLE packet drops from this IP, I picked up the phone, called > the hosting company in France and they put a cork on it immediately. > I was quite impressed at these guys in France suspending the culprit > server after submitting the logs. > > In a nutshell - this is what I have: > > a) ZERO access to anonymous sip calls. > b) Complex alpha-numeric passwords for all SIP end points. > c) Complex SSH password with IP-Tables configured to reject SSH > logins from IP address after 2nd attempt (for sys admins only) > d) Only SIP and SSH service running on my platform > e) Fail2Ban / IP TABLES blocking IP address for 15 minutes > f) Brute force attackers being banned permanently within my IP tables > g) China, South America, India and Israel IP address blocks completely > banned. > > My brute force attacks used to rank highest from Israel and then from > China. Lately I'm beginning to see more attacks, usually giving up > within few minutes, from West Europe. This one attack from France was > the most notorious of all. > > If you are running on of the GUI variants of Asterisk such as TrixBox, > Elastix, ThirdLane and other similar type front-ends, be warned that > all default and dictionary word type passwords are hacked within > minutes and your server compromised in record time. Before you have > your services up and running, ensure that you change your default > passwords immediately (otherwise you are asking for it and inviting > problems). > > Having all 4 test servers and 2 production servers experiencing brute > force SIP attacks within hours of deployment, I refuse to believe its > coincidence. My conclusion of what I have observed over the past > several months is that there are sniffers out there, that sniff 24/7, > SIP ports. Once they find sip ports open, they brute force attack. > If you have firewall / IP table rules implemented, most give up > within minutes. > > As a rule of thumb, what I am doing at my end is to ensure all my > servers have IP Tables, Fail2Ban and related protection tools deployed > before any voice services are deployed. > > I would like to hear how you protect your servers. > > Thank you, > Reza. > > > -- > Toronto based VoIP / Asterisk Trainer, > I.T. Consultant and Hosted PBX Solutions Provider. > +1-647-476-2067. > http://www.linkedin.com/in/seminar > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Rafael Carneiro, BEng http://ca.linkedin.com/in/rcarneiro
