Monday, March 30, 2015

Block Asterisk SIP registrations from internet/WAN hackers with iptables/shorewall

As a result of hundreds of hacking attempts targeted at my Asterisk server from internet, I've installed Fail2ban to automatically ban the IP addresses of the hackers from accessing after 3 failed attempts with the following in my jail.conf
[asterisk-udp]

enabled  = true
filter   = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060", protocol=udp]
           sendmail-whois[name=Asterisk-udp, dest=root, sender=root]
logpath  = /var/log/asterisk/messages
maxretry = 3

However, then I started to receive hundreds of email from Fail2ban telling me IP address were banned by it one after another. Below is an example email for banning an IP address in France:
Hi,
The IP 195.154.38.225 has just been banned by Fail2Ban after
63 attempts against Asterisk-udp.


Here is more information about 195.154.38.225:

[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '195.154.38.0 - 195.154.39.255'

% Abuse contact for '195.154.38.0 - 195.154.39.255' is 'abuse@proxad.net'

inetnum:        195.154.38.0 - 195.154.39.255
netname:        ISDNET-4
descr:          Tiscali France Backbone
country:        FR
admin-c:        BG34
tech-c:         TTFR1-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

role:           Tiscali Telecom France Registry
remarks:        now known as Online S.A.S. / Iliad-Entreprises
address:        8 rue de la ville l'évèque
address:        75008 Paris
address:        France
abuse-mailbox:  abuse@iliad-entreprises.fr
admin-c:        IENT-RIPE
tech-c:         IENT-RIPE
tech-c:         NR1053-RIPE
nic-hdl:        TTFR1-RIPE
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

person:         Benoit Grange
address:        Tiscali Telecom
address:        37 bis rue Greneta
address:        75002 Paris - France
phone:          +33 1 45 08 20 00
fax-no:         +33 1 45 08 20 01
remarks:        +-----------------------------------------------------------------------+
remarks:        | ATTENTION: Pour nous signaler un probleme (intrusion, spam, etc),     |
remarks:        | merci de respecter la procedure suivante:                             |
remarks:        | Envoyer un mail a "abuse@tiscali.fr" avec les informations suivantes: |
remarks:        | - date & heure (y compris le fuseau horaire ou l'heure GMT)           |
remarks:        | - adresse IP source ou toutes les en-tetes du mail                    |
remarks:        | - nature du probleme (en quelques mots)                               |
remarks:        | Nous ne repondons pas aux demandes par telephone.                     |
remarks:        | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
remarks:        | Je ne suis que le representant legal de Tiscali et non pas            |
remarks:        | l'utilisateur final de l'adresse IP renvoyee par votre firewall       |
remarks:        | Les adresses IP sont generalement allouees dynamiquement a nos abonnes|
remarks:        | et donc votre logiciel ne peut PAS connaitre le nom de l'utilisateur  |
remarks:        | reel de l'IP. Merci d'avoir lu jusqu'au bout.                         |
remarks:        +-----------------------------------------------------------------------+
nic-hdl:        BG34
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

% Information related to '195.154.0.0/16AS12876'

route:          195.154.0.0/16
descr:          Online SAS
descr:          Paris, France
origin:         AS12876
mnt-by:         MNT-TISCALIFR
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.78 (DB-3)

Regards,

Fail2Ban

I've had enough such emails therefore I started looking for a way to block these hacking attempts from reaching my Asterisk server. I had shorewall installed on the Asterisk server as my firewall and NAT router. It has interface net defined on the internet/WAN side and the iptables chain net2fw is relevant for managing the traffic from internet to my firewall.
Therefore I added the following into /etc/shorewall/started to drop all SIP registration packets (containing string "REGISTER sip:") from internet destined to UDP port 5060 of my firewall
/usr/sbin/iptables -I net2fw -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
The --algo is a required parameter that specifies the pattern matching strategy (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris). After restarting shorewall, the following is shown from iptables
# iptables -L net2fw
Chain net2fw (1 references)
target     prot opt source               destination      
DROP       udp  --  anywhere             anywhere             udp dpt:sip STRING match  "REGISTER sip:" ALGO name bm TO 65535
And I'm happy now that all these annoying hacking attempts are properly handled.

Tuesday, March 10, 2015

Sync multiple Google calendars on one google account to PC with Thunderbird Lightning

There are more than one way to sync Google calendar to a windows PC but a simple method is to sync via CalDAV by Thunderbird with Lightning extension . Lightning extension can be installed through the Add-ons menu in Thunderbird after it is installed. Restart Thunderbird to enable Lightning when prompted to do so.

 After the email account is set up, click on the account name on the folder pane on the left in the email tab to show the home page.

  • Click on the "Calendar" tab then right click on the empty space under the list of calendars on the left pane. The click on "New Calendar..."
  • Select a Network calendar





  • Select the CalDAV format and enter the following as location

https://apidata.googleusercontent.com/caldav/v2/[your-calendar-id]/events
Replace [your-calendar-id] with the Calendar ID found on the Calendar Settings -> Calendar Address section on your Google calendar. The Calendar ID of your first Google calendar is your Gmail address.



  • Enter the username and password of the Google account to authorize Lightning for managing your calendar. 
  • Repeat the above steps to create a calendar file for each of the rest calendars on one Google account. The calendar IDs of these calendars typically end with @group.calendar.google.com
  • And you can sit back and enjoy them now.