How to secure SIP Servers with Fail2Ban in Centos 7?
Introduction
This article is to give an overview of securing SIP Servers i.e. Asterisk, FreeSwitch etc.
Description
In this article, we are assuming that any of the above SIP Servers has been deployed and configured; and we left with adding a security layer to protect our server with most common attacks i.e. SSH DOS attacks, SIP Authentication failures etc.Methodology
Following is the step by step guide for securing your SIP Server.Step # 1
Change SSH port from default 22 to some other port because this is the most easiest way to overwhelm the server.Edit sshd_config file file:
$ sudo vi /etc/ssh/sshd_config |
Change the Port from 22 to something else like 2221 etc
Port 2221 |
Then close and save the sshd_config file and restart SSH service.
$ sudo service sshd restart |
Step # 2
Install iptables service and stop firewalld service:$ sudo systemctl stop firewalld$ sudo systemctl mask firewalld$ sudo yum install iptables-services$ sudo systemctl enable iptables$ sudo service iptables start |
Step # 3
Create IP Table rules for the SIP Server:# Generic Rules$ sudo iptables -P INPUT ACCEPT$ sudo iptables -F$ sudo iptables -A INPUT -i lo -j ACCEPT$ sudo iptables -A INPUT -m state ESTABLISHED,RELATED -j ACCEPT $ sudo iptables -P FORWARD DROP $ sudo iptables -P OUTPUT ACCEPT # Rules for SSH login$ sudo iptables -A INPUT -p tcp --dport 2221 -j ACCEPT# Block ICMP Responses$ sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP# Rules for Apache/Nginx$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT# Rules for SIP Ports$ sudo iptables -A INPUT -p tcp --dport 5060 -j ACCEPT$ sudo iptables -A INPUT -p udp --dport 5060 -j ACCEPT$ sudo iptables -A INPUT -p udp --dport 10000:40000 -j ACCEPT# Rules for WebRTC$ sudo iptables -A INPUT -p tcp --dport 5066 -j ACCEPT$ sudo iptables -A INPUT -p tcp --dport 7443 -j ACCEPT # Rules for Freeswitch CLI$ sudo iptables -A INPUT -p tcp --dport 8021 -j ACCEPT# Rules for Asterisk Manager Interface$ sudo iptables -A INPUT -p tcp --dport 5038 -j ACCEPT# Rules for SIP Scanners$ sudo iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm$ sudo iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm$ sudo iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm # Drop else$ sudo iptables -P INPUT DROP |
Step # 4
Save and preserve iptables rules:$ sudo service iptables save$ sudo iptables-save > /etc/sysconfig/iptables |
Now you can restore all rules again after reboot:
$ sudo iptables-restore < /etc/sysconfig/iptables$ sudo service iptables save |
Step # 5
Install and Configure Fail2ban with following commands:$ sudo yum install -y fail2ban whois |
The fail2ban will be installed at /etc/fail2ban path.
In order to configure fail2ban, edit jail.conf file:
$ sudo vi /etc/fail2ban/jail.conf |
You need to configure following parameters
...# Make sure paths are accurate in below file mentioned in jail.conf filebefore = paths-fedora.conf...# "bantime" is the number of seconds that a host is banned.bantime = 600# A host is banned if it has generated "maxretry" during the last "findtime" seconds.findtime = 600# "maxretry" is the number of failures before a host get banned.maxretry = 5...# Destination email address used solely for the interpolations in# jail.{conf,local,d/*} configuration files.destemail = xyz@example.com# Sender email address used solely for some actionssender = fail2ban@example.com...# ban & send an e-mail with whois report to the destemail.action = %(action_mw)s |
Step # 6
Now we are going to enable different jails on the services:Edit same jail.conf file:
$ sudo vi /etc/fail2ban/jail.conf |
You can enable jails by adding enabled = true under jail config
...[sshd]enabled = trueport = sshlogpath = %(sshd_log)s...[sshd-ddos]# This jail corresponds to the standard configuration in Fail2ban.# The mail-whois action send a notification e-mail with a whois request# in the body.enabled = trueport = sshlogpath = %(sshd_log)s....[asterisk]port = 5060,5061action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]logpath = /var/log/asterisk/messagesmaxretry = 10....# make sure than you have enabled log-auth-failures paramerter in sofia.conf.xml file[freeswitch]enabled = trueport = 5060,5061action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]logpath = /usr/local/freeswitch/log/freeswitch.logmaxretry = 10 |
Now close and save jail.conf file.
Step # 7
Start and Verify fail2ban Service$ sudo service fail2ban startRedirecting to /bin/systemctl start fail2ban.service $ sudo fail2ban-client statusStatus |- Number of Jail: 13 `- Jail list: apache-auth, apache-badbots, apache-botsearch, apache-fakegooglebot, apache-modsecurity, apache-nohome, apache-noscript, apache-overflows, apache-shellshock, freeswitch, php-url-fopen, sshd, sshd-ddos$ sudo fail2ban-client status freeswitchStatus for the jail: freeswitch|- Filter| |- Currently failed: 1| |- Total failed: 11| `- File list: /usr/local/freeswitch/log/freeswitch.log`- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: |
Now your SIP Server is ready for legitimate Production Traffic.
This comment has been removed by the author.
ReplyDeleteBad argument `ESTABLISHED,RELATED'
ReplyDeleteTry `iptables -h' or 'iptables --help' for more information.
Bad argument `ESTABLISHED,RELATED'
ReplyDeleteREPLACED:
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT