Monday, March 30, 2015

Block Asterisk SIP registrations from internet/WAN hackers with iptables/shorewall

As a result of hundreds of hacking attempts targeted at my Asterisk server from internet, I've installed Fail2ban to automatically ban the IP addresses of the hackers from accessing after 3 failed attempts with the following in my jail.conf
[asterisk-udp]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060", protocol=udp]
           sendmail-whois[name=Asterisk-udp, dest=root, sender=root]
logpath  = /var/log/asterisk/messages
maxretry = 3

However, then I started to receive hundreds of email from Fail2ban telling me IP address were banned by it one after another. Below is an example email for banning an IP address in France:
Hi,
The IP 195.154.38.225 has just been banned by Fail2Ban after
63 attempts against Asterisk-udp.


Here is more information about 195.154.38.225:

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '195.154.38.0 - 195.154.39.255'

% Abuse contact for '195.154.38.0 - 195.154.39.255' is 'abuse@proxad.net'

inetnum:        195.154.38.0 - 195.154.39.255
netname:        ISDNET-4
descr:          Tiscali France Backbone
country:        FR
admin-c:        BG34
tech-c:         TTFR1-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

role:           Tiscali Telecom France Registry
remarks:        now known as Online S.A.S. / Iliad-Entreprises
address:        8 rue de la ville l'évèque
address:        75008 Paris
address:        France
abuse-mailbox:  abuse@iliad-entreprises.fr
admin-c:        IENT-RIPE
tech-c:         IENT-RIPE
tech-c:         NR1053-RIPE
nic-hdl:        TTFR1-RIPE
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

person:         Benoit Grange
address:        Tiscali Telecom
address:        37 bis rue Greneta
address:        75002 Paris - France
phone:          +33 1 45 08 20 00
fax-no:         +33 1 45 08 20 01
remarks:        +-----------------------------------------------------------------------+
remarks:        | ATTENTION: Pour nous signaler un probleme (intrusion, spam, etc),     |
remarks:        | merci de respecter la procedure suivante:                             |
remarks:        | Envoyer un mail a "abuse@tiscali.fr" avec les informations suivantes: |
remarks:        | - date & heure (y compris le fuseau horaire ou l'heure GMT)           |
remarks:        | - adresse IP source ou toutes les en-tetes du mail                    |
remarks:        | - nature du probleme (en quelques mots)                               |
remarks:        | Nous ne repondons pas aux demandes par telephone.                     |
remarks:        | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
remarks:        | Je ne suis que le representant legal de Tiscali et non pas            |
remarks:        | l'utilisateur final de l'adresse IP renvoyee par votre firewall       |
remarks:        | Les adresses IP sont generalement allouees dynamiquement a nos abonnes|
remarks:        | et donc votre logiciel ne peut PAS connaitre le nom de l'utilisateur  |
remarks:        | reel de l'IP. Merci d'avoir lu jusqu'au bout.                         |
remarks:        +-----------------------------------------------------------------------+
nic-hdl:        BG34
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

% Information related to '195.154.0.0/16AS12876'

route:          195.154.0.0/16
descr:          Online SAS
descr:          Paris, France
origin:         AS12876
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.78 (DB-3)

Regards,

Fail2Ban

I've had enough such emails therefore I started looking for a way to block these hacking attempts from reaching my Asterisk server. I had shorewall installed on the Asterisk server as my firewall and NAT router. It has interface net defined on the internet/WAN side and the iptables chain net2fw is relevant for managing the traffic from internet to my firewall.
Therefore I added the following into /etc/shorewall/started to drop all SIP registration packets (containing string "REGISTER sip:") from internet destined to UDP port 5060 of my firewall
/usr/sbin/iptables -I net2fw -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
The --algo is a required parameter that specifies the pattern matching strategy (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris). After restarting shorewall, the following is shown from iptables
# iptables -L net2fw
Chain net2fw (1 references)
target     prot opt source               destination      
DROP       udp  --  anywhere             anywhere             udp dpt:sip STRING match  "REGISTER sip:" ALGO name bm TO 65535
And I'm happy now that all these annoying hacking attempts are properly handled.

No comments: