Hello my friends,
I can’t use the Asterisk CLI to run commands such as “dialplan reload” or “dialplan show” and so on.
The reason that my server is always under attack and thousands of NOTICE messages for failed authentications and no matching endpoints keep arise and very fast.
I trigger commands using to avoid the notice flood
Asterisk -rx "command"
but this is not practical for debugging.
Any recommendation to stop asterisk from showing me notices or reduce it?
Block unnecessary access to port 5060 as close to the edge of your network as possible.
Install and configure fail2ban to dynamically add rules to the firewall on the machine running asterisk based on the security log entries being produced by the attacks.
The solution for this is to open the file /etc/asterisk/logger.conf
search for
console => notice,warning,error,debug
and remove what you don’t want to see on console, in my case I don’t want to see notices so I changed it to:
console => warning,error,debug
Regards
That’s a bit like shooting the messenger. You still need to block the attacks, as some may get through.
Hello david551,
Yes I already installed fail2ban but I’m not sure if it do the job correctly or not.
I use snort as well but the flood of notices still on the console and then I removed it from the logger.conf
Regarding the port what’s the unnecessary access that I can add to the firewall rules?
It’s easier to ‘whitelist’ than to play ‘Whac-A-Mole’ and try to ‘blacklist.’
You can write iptables rules to allow expected access (like from your SIP providers) and block everybody else.
Hello Sedwards
I can’t whitelist ips because I try to prepare it to be used from use softphones initially which means there is no static ip address for each softphone
Do the softphones connect via WiFi (local network) or Internet? Could you limit access to just RFC 1918 (or whatever the newer RFC is called) addresses?
Once you get past ‘use softphones initially’ can you limit access?
Can you identify the ranges of addresses used by the softphone phone’s carrier?
Can you identify certain countries (North Korea, Iran, Russia, China, etc) or geographic regions (APNIC, RIPE, etc) that you don’t expect connections from?
Can you collect IP addresses from a few days flood? You can look up the address at ARIN.NET and block the entire CIDR.
Fail2ban is a popular mitigation approach.
Can you change the port number from 5060 to anything else?
I use cellular data
is there any instructions to limit access to RFC 1918?
Yes I can identify and allow the range of addresses for the carrier only. I use UFW as a firewall.
Yes the attacks are from China, South and North Korea, Iran, Russia, and some EU countries.
I don’t know what’s wrong with fail2ban I’m trying to fix the settings to make it work.
Also, I installed Snort3 and it’s working based on it’s own default settings that include some restriction rules for Asterisk but I don’t know if something else should be added to the settings.
I use Asterisk beside apache web server. fail2ban and snort are doing very good job with apache server but not with asterisk… any ideas???
If you’re using cellular data that means you’re using the carrier’s IP addresses so limiting the access to rfc1918/rfc3330 addresses may not apply.
If you limit access to just the carrier IP blocks, that should eliminate the majority of your issue. I would limit via iptables and by PJSIP allow/deny. Two layers of security.
IIRC, fail2ban includes command line utilities to test and refine rules. It can be sensitive to changes in Asterisk log formats.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.