SIP brute force password attacks

Hi all,

I’ve just been looking through my logs on the Asterisk server and I’ve noticed someone in China attempting to a brute force password attack on port 5060.

Does anyone have any scripts or idea on how I can block IPs that repeatedly fail authentication?

it should be possible with fail2ban:
fail2ban.org/wiki/index.php/Asterisk

Thanks. I’ll look into that.

I’ve had good results with these iptables rules… of course change to suit your LAN

# Fight the sipreg bots iptables -I INPUT -s ! 192.168.3.0/24 -p udp --dport 5060 -m recent --set --name ASTERISK iptables -I INPUT -s ! 192.168.3.0/24 -p udp --dport 5060 -m recent --update --seconds 15 --hitcount 10 --name ASTERISK -j DROP

[quote=“batrams”]I’ve had good results with these iptables rules… of course change to suit your LAN

# Fight the sipreg bots iptables -I INPUT -s ! 192.168.3.0/24 -p udp --dport 5060 -m recent --set --name ASTERISK iptables -I INPUT -s ! 192.168.3.0/24 -p udp --dport 5060 -m recent --update --seconds 15 --hitcount 10 --name ASTERISK -j DROP [/quote]

These rules look to be excellent to stop attacks but I’m not a buff on IPTables. From what I understand, this is what’s happening:

Rule 1) Anything not from 192.168.3.0/24 network on UDP port 5060 is flagged for Asterisk.
Rule 2) Anything coming in on rule 1 which has more than 10 hits in 15 seconds is silently (i.e. no error reported back) dropped.

Am I correct? If so, I will happily implement that since it’s more-or-less ideal for what I want! I am the only client on the server and I deliberately set hard-to-guess passwords so any failures will be from unauthorised attacks.

Many thanks.

Yes, that’s the idea and it works well. Nearly every day I see attacks start on my CLI, but the rules quickly stop them. These same rules work well on TCP port 22 for SSH attacks, but I prefer to run SSH on an obscure port.

Thanks for that. I’ll implement it in a minute. I have to be careful with SSH though since my Asterisk system is on a hosted server and I can’t afford to lose SSH!

If it helps you, I use Denyhosts scripts to block attacks and my logins are passwordless and usernameless (the username you attempt to connect with is the one you use). If you don’t have the correct key, you don’t have access, simple! After about 10 failed logins, the IP address is banned permanently through /etc/hosts.deny (I deliberately ban forever because with one failed login with, for example, SSHing from the wrong account, then you know your mistake but at other times, there’s no issue since it’s a TCP connection).

I’ll add these filters now and report back on how they work for me.

Incidentally, though, I presume that after a while it will release the IP address that attempted the attack. Is there any way to keep that permanently? Most attacks seem to come from Russia, India or China and I have no need to access the network from over there (and if I did, I could SSH in natively and release the banned IP).

Your lines for IPTables work fantastically!

As does Fail2Ban.

It’s just a shame that I managed to ban myself and have just spent 2 hours working out why traffic was travelling down my VPN but my phone couldn’t register…

Well, at least it works! Brilliant bit of code. Thanks!