Blocking SIP hacking

ip-communications

#6

I’d be happy if I could just get Fail2ban working. When an attack comes, its from the same IP address trying to register a SIP over and over. Here are my settings:

Global Settings
Enable Fail2Ban: Checked
Banned Duration: 86400 seconds
Max Retry Duration: 1200 seconds
Max Retry: 1
Fail2ban Whitelist: 127.1.1.1/8

Local Settings
Asterisk Service: Checked
Listening port number: 5060
Max Retry: 1

Dynamic Defense is turned off.

I’ve got the Alerts turned on for Fail2Ban Blocking and Register SIP failed. I can see the events for the Register SIP failed, but Fail2ban never kicks in and nothing shows up in the blacklist. Seems I’m missing something and perhaps it simple such as the UCM set for switch instead of dual or something like that.


#7

Firmware?


#8

There is a firmware in which fail2ban didn’t work right, I’d update firmware. Unless you are already at 1.0.15.16.


#9

I’m at 1.0.13.2

Will update the firmware and see what happens.


#10

Updated to the latest firmware to 1.0.15.16 and Fail2Ban started working shortly thereafter. :slight_smile: I must say the new GUI look threw me for a loop. Still having trouble finding everything, but I’m sure I’ll get used to it.

Now that Fail2ban is working, I’ll watch things for a while and see but I think this will do it for me. I still have Dynamic Defense turned off and not sure if I need that, still learning…

From the System Events Alert Log:
2018-01-26 10:23:15
Fail2ban Blocking
Generate Alert
Fail2ban blocking event! Blocked IP address is: 104.222.97.24
2018-01-26 10:21:25
Fail2ban Blocking
Generate Alert
Fail2ban blocking event! Blocked IP address is: 185.22.153.79

And, thanks to you guys for the help!


#11

Fail2ban should be enough.

You’ll also notice it works for port 8089 as well if you turn it on.


#12

I’m behind a router so 8089 should be blocked, no?

I’m still considering using something besides 5060. I can set up a NAT rule to forward any incoming port to 5060 at the router so I would probably do it there. That way I don’t have to reconfigure the UCM. I’d have to redo my SIP apps since they go out away from the local network at time.s Or maybe that won’t work at these devices are also used inside the local network and wouldn’t be configured for 5060… Any suggestion on what port would be a good one to use?


#13

As soon as you say “change the port” then you can choose anything. Five random numbers where the total number is less than 65536 is a good start. 8)


#14

It’s a secret. whispering
“Security by obscurity”


#15

I suggest strongly against port translation. You would have to set the SIP “connect” headers to reflect the public port of your pseudo port so that the messaging will be translated to the 5060 port.

Further, port shifting is also hardly foolproof,. Granted, having a known port such as 5060 makes it an easier target, there is no guarantee that someone won’t find the new port and hammer it once again,

If possible, it would be far better to set up firewall rules that allow the desired IPs in and then drop the others, This way, there is no need to change any settings on the SIP aspect in any device and the router takes on load of deciding good guys and bad without the need for bogging down the UCM with Fail2Ban, etc.


#16

How would you know what the ip address is for the a mobile device roaming in the wild? Seeing that all mobile devices are using some sort of dynamic addressing it would defeat the purpose of using gwave app.


#17

You can only anticipate what the range may be if using a cellular carrier as you can do a Google search to see what many use and then allow that range. Certainly not fool-proof, but I am guessing that most attacks don’t come across cellular data. On the other hand, when using a Wi-Fi at a remote location there is no way to know, but you can get around the issue with a VPN.

If a VPN is not possible, then it becomes a choice between the need and the risk as there is no way to discriminate between bad and good IPs on an open port if not known beforehand.


#18

I totally agree with you but it’s still difficult to really find all the ip ranges the cellular companies use. I do like the option of the vpn but it would be awesome if the gwave app had a built in vpn client that autoconfigures to the ucm pbx. It’s difficult for a mobile user to always be on vpn via cellular or wifi so it kind of defeats the purpose of having a mobile app for a pbx.


#19

I use Draytek routers and they have a VPN client app for Android (unsure about IOS) that allows me to generate a self-signed SSL certificate that works quite well.

Another make of PBX has their own client softphone and they developed their own tunnel and it takes both the SIP and RTP and encapsulates it into packets and it uses some of the readily available techniques to keep the tunnel alive and using a different port so that if 5060 is blocked, it does not matter. It too works quite well as you only have 3 things to do, 1) enable the tunnel. 2) which IP and 3) what port. This is more akin to the desire you have.


#20

Generally I keep my systems pretty locked down. But, I do have a couple without VPN’s. So far, I have never been hacked using a random port above 50,000 with fail to ban conservatively configured. 3 attempts in 300 seconds will ban someone for 24 hours.

I’ve seen a few people come and go, trying to hack in with standard UID’s and passwords. But, they get blocked and I generally never see them again.

Also, I always use minimum 16 character passwords.


#21

Will look into the Draytek solution you mentioned.

What softphone client does that. It sounds easy enough to configure and all my grandma has to do to use the app is launch it. Awesome.


#22

It is not just a client, but one that is custom to the PBX manufacturer. It will only function with their PBX.


#23

~Most hackers are trying 5060 probes. Changing it is more challenging. Try dropping all 5060 probes except from your specific carrier of the sip traffic.

~Your UCM GUI Access can easily be shut down with a 3 strikes you’re permanently blocked rule. ( Set up another admin access for your self OR password recovery for admin to save a drive.

SystemSettings>SecuritySettings>STATIC DEFENSE>
row1> ACCEPT 5060 Rule Source IP of the VoIP SIP carrier xxx.xxx.xxx.xxx:5060
row2> DROP RULE Drop 5060 rule Source ANY IP:5060-5100 from all except valid carrier and remote phone ips


#24

Make sure you have the following settings on the unit. Also, make sure you are running the latest firmware. I also recommend that your UCM sits behind a firewall so the firewall can protect it. We have rules on our firewall to block all countries with the exception of the US as we don’t have customers that use phones outside the US and a majority of hacking comes from outside countries (Norway, Italy, Netherlands, etc):

Dynamic Defense:
Blacklist Update Interval: 120
Connection Threshold: 5
Dynamic Defense Whitelist: 127.0.0.1

Fail2Ban:
Banned Duration: 0
Max Retry Duration: 30
MaxRetry: 3
Fail2Ban Whitelist: 127.0.0.1/8 & add your local subnets as well (IE. 192.168.0.1/24)

Local Settings under Fail2Ban:
Asterisk Service: Check ON
Listening Port Number: 5060
Maxretry: 5
Login attack defense: ON
MaxRetry: 3

We have tested and with these settings and the latest firmware, this should stop all hacking. Also, make sure you whitelist your VOIP providers IPs so they dont ever get put on the Fail2Ban list.

I am not sure if you have a firewall in front of your UCM but it’s highly advisable. It’s easy to change the mode of the unit if you need to install a firewall as well.


#25

Good firewall rules are the prevention. Good fail2ban rules are the cure. In other words, if you stop them from getting in with a firewall rule, that’s good. If you don’t stop them, they can still connect and get some information before they get banned by fail2ban. Patient zombie bot nets will come back from other IPs or at later dates and try again, so ideally you would stop them with firewall rules first.

And if you don’t need public access, for the sake of all that is precious, DISABLE IT. (Don’t forget to disable port 8089 too!)