Stopping Hackers with iptables

I’m implementing iptables rules to stop hacking attempts following this document. https://www.voip-info.org/wiki/view/Asterisk+firewall+rules

iptables -I INPUT -p udp -m udp --dport 5060 -m string --string “User-Agent: VaxSIPUserAgent” --algo bm --to 65535 -j DROP
iptables -I INPUT -p udp -m udp --dport 5060 -m string --string “User-Agent: friendly-scanner” --algo bm --to 65535 -j REJECT --reject-with icmp-port-unreachable

Why is the first user agent dropped and the second rejected? Is there a resource to list user agents to block other than http://blog.kolmisoft.com/sip-attack-friendly-scanner/

How to determine which user agents to reject and which to drop?

why dont you use fail2ban? after 3 or any attempt , it can ban any ip ,if you want, you can define own filter rule.

1 Like

I’m not permitted to use fail2ban. :slight_smile: and would rather do this in iptables. I’m just wondering about the difference in treatment of different user agants.

LOL. When fail2ban is great for this job :slight_smile: It is reading non-stop asterisk’s logs and if it see more than X failed attempts of login or unathorized calls it set iptables rule.

when you use f2b, as the first messages are answer, the remote scanner knows there is an ipbx, and some start bruteforcing your server, causing your ressources to be consumed. iptables blocks the scan at the earliest, and does not hint the remote scanner that you are running an ipbx.

from my experience, 3 agents are commonly used, and these rules will stop them:

-A INPUT -p udp -m string --string "friendly-scanner" --algo bm --to 600 -m udp --dport 5060 -j DROP
-A INPUT -p udp -m string --string "sipcli/v" --algo bm --to 600 -m udp --dport 5060 -j DROP
-A INPUT -p udp -m string --string "sipvicious" --algo bm --to 600 -m udp --dport 5060 -j DROP

of course, you also need f2b, and monitor when someone is banned, which user agent is used, and add it to iptables

Fail2ban uses iptables!

The distinction you are making are between static rules and self adapting rules. They dynamic rules will still work if the attacker changes the user agent to get round the static rules.

2 Likes

The second agent is just rejected so that a “friendly scanner”, in this case, would be allowed the get a reply of some sort. The VaxSIPUserAgent gets dropped because in the example, the admin does not want ANY response sent at all when dealing with that user agent.

I have to concur with everyone, Fail2Ban (which is a log parser that then applies dynamic IPTables rules against hosts). Used along with iptables-persistent or your own method of regularly saving IPTables rules and then loading them at startup, Fail2ban’s dynamic method to creating firewall rules on the fly is superior. This is especially since you can change the settings as needed, to catch newly discovered methods of attacking an Asterisk (or other service) system. Additionally, the notifications can be useful. I often discover the same IP or IP blocks trying to gain access to a system over and over and over, so I contact the abuse email from the WHOIS report. If I don’t get satisfaction (i.e. the attacks stop), I create a rule to drop all packets from the offending IP.

You can also get into using iptables with geographic ip checking, and block particular countries. This comes in handy.

Just my $0.02,
S McGowan

1 Like