Wednesday, 4 December 2013

Blocking Asterisk SIP Invite attacks with fail2ban

There's a lot of fuss about people putting too much trust into a program called fail2ban when using it with Asterisk to block SIP attacks.

Such as:

http://forums.digium.com/viewtopic.php?t=78988

Whilst I fully agree that simply installing fail2ban and relying on that as your only protection against SIP hacks is foolish, I do think it is still a useful tool.

The biggest current problem with it is that while it's quite good at stopping Register attacks, it doesn't do anything out of the box to protect against Invite floods.  This is where attackers send in SIP Invite messages to attempt calls and to brute-force passwords.

The good news is that simply adding an extra regex line to the fail2ban config can help in some cases.

This works with Asterisk 1.8 (possibly newer versions, I've not tested yet).  There is a big change you must make first.  Asterisk comes with a setting in sip.conf called "allowguest" which controls whether you allow un-authenticated SIP calls in or respond with a 401 Authentication Required message.  It is normally recommended to set this to "no" to stop unsolicited calls.  This addition to fail2ban will NOT work with this set, you must set it to "yes" or Asterisk will not log anything for fail2ban to act on.

Lots of people will say that this is a bad idea (and I don't necessarily disagree with them).  For my own use, I need this set anyway.  There is a possible argument saying that you're safer setting it to "yes" and allowing fail2ban to catch call attempts than leaving it to "no" and not knowing about these calls coming in.
Be aware that your default context (i.e. the context that external calls fall in to) must be carefully set up so as to only include extensions that you really want exposing to the outside world.  This would normally be your inbound phone numbers only.
If someone manages to guess one of your inbound numbers (or intentionally sends in calls to your numbers because they already know them) then you could get unsolicited "spit" (SIP spam) calls.

If you decide you want to do this or you already need allowguest=yes for some other reason like me, then here is what to do...

Find the list of regular expressions in the file /etc/fail2ban/filter.d/asterisk.conf (on Debian Wheezy, may be elsewhere on other systems) and add this line:

NOTICE.* .*: Call from '.?' \(<HOST>:.*\) to extension '.*' rejected

Reload fail2ban and it should stop multiple Invites from the same source IPs.

I have to admit, I have only just done this and I have so far only done a small amount of testing using SIPp.  So there could be cases it doesn't catch Invites and it may block valid Invites sometimes.  I will continue to test and update this post as I find more things out.

In general you should always be keeping an eye out on what is happening to your Asterisk installations (or any SIP system for that matter, this isn't limited to Asterisk).  My next plan is to write a monitoring tool in Python that'll keep an eye on logs and activity for unusual things going on.