SIP2Ban is A Avoided SIP attackers in Asterisk and OpenSIPS.
SIP2Ban is A Avoided SIP attackers in Asterisk and OpenSIPS.
Avoided SIP and RTP attackers in Asterisk and OpenSIPS
How to run a file:
Download files in your server
# git clone https://github.com/chanon-m/sip2ban.github.io.git
Copy sip2ban.pl to /etc
# cp ./sip2ban.github.io/sip2ban.pl /etc
Make a file executable
# chmod 755 /etc/sip2ban.pl
Create a crontab job on your server
If you want sip2ban.pl to run every 5 minutes, you should code the time as:
# crontab -e
*/5 * * * * /etc/sip2ban.pl >> /var/log/sip2ban.log&
Copy sip2ban_opensips.pl to /etc
# cp ./sip2ban.github.io/sip2ban_opensips.pl /etc
Make a file executable
# chmod 755 /etc/sip2ban_opensips.pl
+ Add codes in opensips.cfg
Original opensips.cfg :
|
1 2 3 4 5 6 7 |
if (is_method("REGISTER")) { if (!save("location")) sl_reply_error(); exit; } |
In your opensips.cfg, you have to add:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
if (is_method("REGISTER")) { $var(auth_code) = www_authorize("", "subscriber"); if ($var(auth_code) == -1 || $var(auth_code) == -2) { xlog("L_NOTICE","Auth_error for $fU@$fd from $si cause $var(auth_code)"); } if ($var(auth_code) < 0) { www_challenge("", "0"); exit; } if (!save("location")) sl_reply_error(); exit; } |
Code :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
#!/usr/bin/perl -w use strict; if($#ARGV != 0) { print "usage: sip2ban.pl faliedtimes\n"; print "ex: sip2ban.pl 5\n"; exit; } #initial variables my $logfile = '/var/log/asterisk/full'; my $datetime = localtime; my $count = $ARGV[0]; my $key = 'failed for'; my @ip; my $i = 0; #read asterisk log file open(my $fh, '<', $logfile) or die "Could not open file '$logfile' $!"; while (my $row = <$fh>) { chomp $row; if(index($row, $key) != -1) { my @data = split /[',:, ]/, $row; $ip[$i++] = $data[20]; } } close $fh; #if failed times >= count, it will be blacklist my %seen; foreach my $item (@ip) { $seen{$item}++; } my $countip=0; my @blockedip; foreach my $item (keys %seen) { if($seen{$item} >= $count) { $blockedip[$countip++] = $item; } } if($countip > 0) { #read iptables configuration file open($fh, '<',"/etc/sysconfig/iptables") or die "Could not open file!"; my @lines=<$fh>; close $fh; foreach my $line (@lines) { for(my $j=0; $j < $countip; $j++) { my $str = "-A RH-Firewall-1-INPUT -s $blockedip[$j] -j DROP"; if($line =~ /$str/) { $blockedip[$j]=""; $countip--; } } } if($countip > 0) { #backup iptables configuration file move("/etc/sysconfig/iptables","/etc/sysconfig/iptables.old"); #apply new iptables rules my $newiptables; foreach my $ip (@blockedip) { if($ip ne "") { $newiptables .= "-A RH-Firewall-1-INPUT -s $ip -j DROP\n"; my $returncode = system("/sbin/iptables -I RH-Firewall-1-INPUT 2 -s $ip -j DROP"); if($returncode != 0) { print "$datetime Could not add $ip in iptables rule!\n"; } else { print "$datetime Bloacked IP Address : $ip\n"; } } } #save new iptables rules open($fh, '>',"/etc/sysconfig/iptables") or die "Could not open file!"; foreach my $line (@lines) { my $search = "-A RH-Firewall-1-INPUT -i lo -j ACCEPT"; print $fh $line; if($line =~ /$search/) { print $fh $newiptables; } } } } |
Unauthorized attacks
Add codes in opensips.cfg, Original opensips.cfg :
|
1 2 3 4 5 6 7 |
if (is_method("REGISTER")) { if (!save("location")) sl_reply_error(); exit; } |
In your opensips.cfg, you have to add:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
if (is_method("REGISTER")) { $var(auth_code) = www_authorize("", "subscriber"); if ($var(auth_code) == -1 || $var(auth_code) == -2) { xlog("L_NOTICE","Auth_error for $fU@$fd from $si cause $var(auth_code)"); } if ($var(auth_code) < 0) { www_challenge("", "0"); exit; } if (!save("location")) sl_reply_error(); exit; } |
RTP without registration attacks
Add codes in opensips.cfg, Original opensips.cfg:
|
1 2 3 4 5 6 7 8 9 10 11 |
if ( !(is_method("REGISTER") ) ) { if (from_uri==myself) { } else { # if caller is not local, then called number must be local if (!uri==myself) { send_reply("403","Rely forbidden"); exit; } } } |
In your opensips.cfg, you have to add:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
if ( !(is_method("REGISTER") ) ) { if (from_uri==myself) { if(!proxy_authorize("", "subscriber")) { xlog("L_NOTICE","Auth_error for $fU@$fd from $si cause Proxy authentication required"); proxy_challenge("", "0"); exit; } if (!db_check_from()) { xlog("L_NOTICE","Auth_error for $fU@$fd from $si cause Forbidden auth ID"); sl_send_reply("403", "Forbidden auth ID"); exit; } consume_credentials(); } else { # if caller is not local, then called number must be local if (!uri==myself) { xlog("L_NOTICE","Auth_error for $fU@$fd from $si cause Rely forbidden"); send_reply("403","Rely forbidden"); exit; } } } |
–Create a crontab job on your server
If you want sip2ban_opensips.pl to run every 5 minutes, you should code the time as:
|
1 2 |
# crontab -e */5 * * * * /etc/sip2ban_opensips.pl >> /var/log/sip2ban_opensips.log& |
TIP – Set QOS in CentOS
Add new rules in iptables (Please make sure your switchhub doesn’t remove dscp value)
|
1 2 3 4 5 6 7 |
#Setting DSCP # tos_sip=cs3, tos_audio=ef, tos_video=af41 *mangle -A OUTPUT -p udp -m udp --sport 5060 -j DSCP --set-dscp-class cs3 -A OUTPUT -p udp -m udp --dport 5060 -j DSCP --set-dscp-class cs3 -A OUTPUT -p udp -m udp --sport 10000:30000 -j DSCP --set-dscp-class ef COMMIT |
–Restart and monitor
|
1 2 |
# service iptables restart # iptables -t mangle -nvL |
Download : Master.zip | Clone Url
Source : sip2ban
Author : Chanon Mingsuwan | Reported bugs or requested new feature can be sent to chanonm@live.com