[asterisk-udp]
enabled = true
filter = asterisk
action = iptables-multiport[name=asterisk-udp, port="5060", protocol=udp]
sendmail-whois[name=Asterisk-udp, dest=root, sender=root]
logpath = /var/log/asterisk/messages
maxretry = 3
However, then I started to receive hundreds of email from Fail2ban telling me IP address were banned by it one after another. Below is an example email for banning an IP address in France:
Hi,
The IP 195.154.38.225 has just been banned by Fail2Ban after 63 attempts against Asterisk-udp. Here is more information about 195.154.38.225: [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '195.154.38.0 - 195.154.39.255' % Abuse contact for '195.154.38.0 - 195.154.39.255' is 'abuse@proxad.net' inetnum: 195.154.38.0 - 195.154.39.255 netname: ISDNET-4 descr: Tiscali France Backbone country: FR admin-c: BG34 tech-c: TTFR1-RIPE status: ASSIGNED PA mnt-by: MNT-TISCALIFR source: RIPE # Filtered role: Tiscali Telecom France Registry remarks: now known as Online S.A.S. / Iliad-Entreprises address: 8 rue de la ville l'évèque address: 75008 Paris address: France abuse-mailbox: abuse@iliad-entreprises.fr admin-c: IENT-RIPE tech-c: IENT-RIPE tech-c: NR1053-RIPE nic-hdl: TTFR1-RIPE mnt-by: MNT-TISCALIFR source: RIPE # Filtered person: Benoit Grange address: Tiscali Telecom address: 37 bis rue Greneta address: 75002 Paris - France phone: +33 1 45 08 20 00 fax-no: +33 1 45 08 20 01 remarks: +-----------------------------------------------------------------------+ remarks: | ATTENTION: Pour nous signaler un probleme (intrusion, spam, etc), | remarks: | merci de respecter la procedure suivante: | remarks: | Envoyer un mail a "abuse@tiscali.fr" avec les informations suivantes: | remarks: | - date & heure (y compris le fuseau horaire ou l'heure GMT) | remarks: | - adresse IP source ou toutes les en-tetes du mail | remarks: | - nature du probleme (en quelques mots) | remarks: | Nous ne repondons pas aux demandes par telephone. | remarks: | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | remarks: | Je ne suis que le representant legal de Tiscali et non pas | remarks: | l'utilisateur final de l'adresse IP renvoyee par votre firewall | remarks: | Les adresses IP sont generalement allouees dynamiquement a nos abonnes| remarks: | et donc votre logiciel ne peut PAS connaitre le nom de l'utilisateur | remarks: | reel de l'IP. Merci d'avoir lu jusqu'au bout. | remarks: +-----------------------------------------------------------------------+ nic-hdl: BG34 mnt-by: MNT-TISCALIFR source: RIPE # Filtered % Information related to '195.154.0.0/16AS12876' route: 195.154.0.0/16 descr: Online SAS descr: Paris, France origin: AS12876 mnt-by: MNT-TISCALIFR source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.78 (DB-3) Regards, Fail2Ban
I've had enough such emails therefore I started looking for a way to block these hacking attempts from reaching my Asterisk server. I had shorewall installed on the Asterisk server as my firewall and NAT router. It has interface net defined on the internet/WAN side and the iptables chain net2fw is relevant for managing the traffic from internet to my firewall.
Therefore I added the following into /etc/shorewall/started to drop all SIP registration packets (containing string "REGISTER sip:") from internet destined to UDP port 5060 of my firewall
/usr/sbin/iptables -I net2fw -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
The --algo is a required parameter that specifies the pattern matching strategy (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris). After restarting shorewall, the following is shown from iptables
# iptables -L net2fw
Chain net2fw (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:sip STRING match "REGISTER sip:" ALGO name bm TO 65535
And I'm happy now that all these annoying hacking attempts are properly handled.