Blogs on System Administration, Scripting, System Monitoring, Cloud Computing & Virtualizaton, VoIP Systems, SMS Systems and Web Applications Development.

How to secure SIP Servers with Fail2Ban in Centos 7?


Introduction

This article is to give an overview of securing SIP Servers i.e. Asterisk, FreeSwitch etc.

Description

In this article, we are assuming that any of the above SIP Servers has been deployed and configured; and we left with adding a security layer to protect our server with most common attacks i.e. SSH DOS attacks, SIP Authentication failures etc.

Methodology

Following is the step by step guide for securing your SIP Server.

Step # 1

Change SSH port from default 22 to some other port because this is the most easiest way to overwhelm the server.
Edit sshd_config file file:
$ sudo vi /etc/ssh/sshd_config

Change the Port from 22 to something else like 2221 etc
Port 2221

Then close and save the sshd_config file and restart SSH service.
$ sudo service sshd restart

Step # 2

Install iptables service and stop firewalld service:
$ sudo systemctl stop firewalld
$ sudo systemctl mask firewalld
$ sudo yum install iptables-services
$ sudo systemctl enable iptables
$ sudo service iptables start

Step # 3

Create IP Table rules for the SIP Server:
# Generic Rules
$ sudo iptables -P INPUT ACCEPT
$ sudo iptables -F
$ sudo iptables -A INPUT -i lo -j ACCEPT
$ sudo iptables -A INPUT -m state ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -P FORWARD DROP
$ sudo iptables -P OUTPUT ACCEPT
# Rules for SSH login
$ sudo iptables -A INPUT -p tcp --dport 2221 -j ACCEPT
# Block ICMP Responses
$ sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Rules for Apache/Nginx
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Rules for SIP Ports
$ sudo iptables -A INPUT -p tcp --dport 5060 -j ACCEPT
$ sudo iptables -A INPUT -p udp --dport 5060 -j ACCEPT
$ sudo iptables -A INPUT -p udp --dport 10000:40000 -j ACCEPT
# Rules for WebRTC
$ sudo iptables -A INPUT -p tcp --dport 5066 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
# Rules for Freeswitch CLI
$ sudo iptables -A INPUT -p tcp --dport 8021 -j ACCEPT
# Rules for Asterisk Manager Interface
$ sudo iptables -A INPUT -p tcp --dport 5038 -j ACCEPT
# Rules for SIP Scanners
$ sudo iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
$ sudo iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
$ sudo iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
# Drop else
$ sudo iptables -P INPUT DROP

Step # 4

Save and preserve iptables rules:
$ sudo service iptables save
$ sudo iptables-save > /etc/sysconfig/iptables

Now you can restore all rules again after reboot:
$ sudo iptables-restore < /etc/sysconfig/iptables
$ sudo service iptables save

Step # 5

Install and Configure Fail2ban with following commands:
$ sudo yum install -y fail2ban whois

The fail2ban will be installed at /etc/fail2ban path.

In order to configure fail2ban, edit jail.conf file:
$ sudo vi /etc/fail2ban/jail.conf

You need to configure following parameters
...
# Make sure paths are accurate in below file mentioned in jail.conf file
before = paths-fedora.conf
...
# "bantime" is the number of seconds that a host is banned.
bantime  = 600
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime  = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
...
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = xyz@example.com
# Sender email address used solely for some actions
sender = fail2ban@example.com
...
# ban & send an e-mail with whois report to the destemail.
action = %(action_mw)s
Now Close and Save the jail.conf file.

Step # 6

Now we are going to enable different jails on the services:
Edit same jail.conf file:
$ sudo vi /etc/fail2ban/jail.conf

You can enable jails by adding enabled = true under jail config
...
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
...
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
enabled = true
port    = ssh
logpath = %(sshd_log)s
....
[asterisk]
port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/asterisk/messages
maxretry = 10
....
# make sure than you have enabled log-auth-failures paramerter in sofia.conf.xml file
[freeswitch]
enabled  = true
port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /usr/local/freeswitch/log/freeswitch.log
maxretry = 10

Now close and save jail.conf file.

Step # 7

Start and Verify fail2ban Service
$ sudo service fail2ban start
Redirecting to /bin/systemctl start  fail2ban.service
$ sudo fail2ban-client status
Status                                                                                                                                                 |- Number of Jail: 13              
`- Jail list:   apache-auth, apache-badbots, apache-botsearch, apache-fakegooglebot, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-shellshock, freeswitch, php-url-fopen, sshd, sshd-ddos
$ sudo fail2ban-client status freeswitch
Status for the jail: freeswitch
|- Filter
|  |- Currently failed: 1
|  |- Total failed: 11
|  `- File list:    /usr/local/freeswitch/log/freeswitch.log
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:  

Now your SIP Server is ready for legitimate Production Traffic.

0 comments:

Post a Comment

Please Enter your Comments Here.