How to block these random attack in my asterisk server

as we can see, these are random attack log.
due to this problem, my server doesnt work correctly.
how to do to block random attack ?

please help me

Do you have any offsite users not accessing through your own VPN? If not, don’t let in any SIP from anyone other than your service provider.

If users call in from anywhere in the world, and you cannot use a VPN, changing the port number to something completely different from 5060, will reduce the level of attack, and so will the use of TCP, or even better, TLS. Currently TLS doesn’t have to be operated particularly well, but that may change.

If you don’t have users in high phone fraud risk counties, you can block the network addresses of the ISPs in those countries, or white list those in the countries of legitimate users.

You can also use adaptive firewall software, like fail2ban, that will add temporary block rules to addresses making failed attempts, to rate limit the attack, outside of Asterisk itself.

However, attacks using REGISTER are strange, so this is more likely to be a misconfiguration., on the remote system

I don’t really understand how this is making your system not work well. The usual concern isn’t the volume but they may be lucky and find a weak password, or misconfiguration, which allows them to make premium rate calls using destinations they own.

IT is actually normal. There have been a lot of INVITE and REGISTER attempts since I put a server on public. I also see a lot of attempts to blind-dial and SQL injection attempts.

Of course…the only way to tell is to look at what IP is making the request. Mine started getting hammered the minute I booted it up; long before any remote system was trying to connect to it. So the fact he’s seeing REGISTER spam is normal, sadly.

As stated, you can move the port off 5060. They will only scan known ports; so moving it off 5060 means they stop looking.

You can also set-up fail2ban rules that will ban these. But…honestly…the number of IPs that do this means it will be doing nothing but logging and blocking IP’s. The other solution is to use an IP Blacklist. This is a list of known bad actors that get inserted in to your servers iptables.

I go with both a blacklist and no longer using numerical SIP ID’s. Most of the numbers are defaults from configurations or commonly used one. Like I see a lot of attempts at 6000…since 6000 is made in the example configs.

There are two blacklist services you can use; the first is apiban.org - I see them on Twitter and the run a good curated list. They have a client that will automatically update everything for you.

I personally use something called VoIPBlacklist (voipbl.org), but that is a bit more invovled to setup. You have to go in and modify some config files on your own; but the end result is it updates every 4 hours and mine is set to permanent bans. VoIPBL is crowd-sourced; whenever fail2ban catches someone not on the list, they get added to the list.

You have to be careful though. I screwed up a SIP Trunk configuration and found myself locked out of my own server due to getting banned. I solved this by adding my IP address to fail2ban’s ignore.

I have documented how I set mine up; which includes a slightly modified better-running update script. (Mods: I have only posted this as it’s relevant to the OP’s problem. No self-promotion intended)

1 Like

I’m not sure I’d call it spam. It is generally toll fraud, not advertising. I’m surprised there is much use of REGISTER as SIP doesn’t require registration to do what the fraudsters want, and I think most systems don’t require it. Asterisk, with chan_sip and type=peer, would require it, but naive users of chan_sip tend to use type=friend, and chan_pjsip doesn’t have the equivalent of registering followed by IP authentication. chan_sip, as normally used, and chan_pjsip, can be attacked with INVITE, directly, if passwords are weak.

apiban

Saying ‘I wrote this and it works for me’ is perfectly legit.

When you put a dollar sign on it you’re in ‘asterisk-biz’ territory.

I’m guilty of calling all unwarranted junk “spam”.

I think it’s all related to the fact they’re script-kiddies using Kali and Sipvicious or some other “out-of-the-box” scanning/“security” tool.

I’ve been in a lot of places that it hasn’t. I’ll always err on the side of caution.

This is a falsehood. They scan more than 5060 because there is 20 years of Internet posts that say dont use 5060. This also isnt 10 years ago when resources were limited unlike they are today. I see them scanning all sorts of ports for SIP these days.

Fine…maybe they are. I only concern myself with what comes through the firewall.

Don’t agree. Since we moved our servers from 5060 -same for ssh port- we have a huge decreasing amount of scan.

Another solution would be to use ip geolocalisation.

Decreases in amounts of scans is not a stopping of the scans. I never said that changing from 5060 wouldn’t reduce the amount of traffic, I said that moving from 5060 doesn’t mean it stops all the traffic they scan more than 5060. So sure, you move from 5060 and see 85% decrease in scans but that still leaves you with the 15% to deal with.

The biggest open source PBX, FreePBX, started using 5160 about 7 years ago. As of today 5160 is now second to the amount of scans 5060 has that I’ve seen. Why? Because the biggest open source PBX project had it as a well used SIP port and they (bad actors) figured it out.

normally, attacker make mass request from each IP, so you can use iptables or fail2ban to block attack

I assume that was supposed to say AND, not OR, as fail2ban works by manipulating iptables, and iptables cannot detect mass attacks without something like fail2ban (or a human) to do that.

Also, fail2ban has been mentioned several times, so it looks like you didn’t read before replying.

(I think I’ve heard there is a move to using a more distributed attack, e.g. using VPNs, so single IP blocking strategies may be becoming less effective.)

I strictly never expose an Asterisk instance to the internet. Never. I don’t see a reason to do it. I use VoIP Providers with good NAT support and if there are remote-users, I give them VPN.

Paranoid as I am, I also use ACLs in my pjsip.conf, random SIP port, strong passwords and make use of fail2ban. It turned out to be a good idea since it happens regulary that IT Guys (with their kind of sophisticated firewalls) expose one of the Asterisk Servers I maintain to the internet without me knowing that. This happens sometimes with all these SIP-ALGs and SIP-Helpers of some Firewalls.

I also use md5 credentials (auth_type=md5). I know, it’s not super secure but it’s easy to implement and I like it more than having cleartext passwords in my pjsip.conf.

I had a fraud case 12 years ago with high costs and I learned my lesson.

1 Like

https://github.com/elpop/sipban

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.