0

My FreePBX / Asterisk configuration was recently forced into allowing both anonymous inbound calls and SIP guests. So of course we're now getting blasted with spam/hack attempts.

They show up in the log as:

[2020-05-02 11:09:53] WARNING[30801]: res_pjsip_registrar.c:1051 registrar_on_rx_request: Endpoint 'anonymous' has no configured AORs

And we get dozens per second.

Can I make a configuration change to essentially block each of these by some mechanism that just makes the caller wait some huge time (like an hour), then hangs up? I think that would tie up the spammers' resources, and slow the bandwidth they're drawing by orders of magnitude.

So first, is this possible? How do you do it securely?

Second, are there serious downsides to this? E.g., slowing down any configuration reload by an order of magnitude or some such.

Any related thoughts or advice?

JimB
  • 177
  • 1
  • 1
  • 10

1 Answers1

1

I would add in some iptables.

I would start by looking at sip show channels and or using tcpdump and some direct asterisk console commands

tcpdump -i eth0 port sip -l -A | egrep -i 'INVITE sip'
tcpdump -i eth0 port sip -l -A | egrep -i 'User-Agent'

# tcpdump -i ens3 port sip -l -A | egrep -i 'INVITE sip'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:58:28.377294 IP ns542407.ip-144-217-77.net.7112 > 10.0.0.11.sip: SIP: INVITE sip:+10390237920793@107.179.205.23:5060 SIP/2.0
...........INVITE sip:+10390237920793@107.179.205.23:5060 SIP/2.0



asterisk -rx "sip show channels"
Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer      

13.78.236.138    7780             1317157998-1339  (nothing)        No       Rx: INVITE                 <guest>
144.217.77.27    8888942908       00lFxPc9nsGj22f  (nothing)        No       Rx: ACK                    <guest>

if your requests are INVITE or REGISTER like my example. you can slow them down by iptables manually or learn how to add this at boot depending on your version of Linux. (microsft i have no idea)

iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --rsource
iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name VOIPINV --rsource
iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --rsource
iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name VOIP --rsource

You can play with different variables (seconds/hitcount/string). I find this effective with fail2ban in slowing them down. not to mention blocking ranges of countries with ipset that this phone system would not have people connecting from helps alot.

user2630659
  • 43
  • 3
  • Thanks for the answer! So are these iptables entries blocking SIP INVITE and REGISTER calls if more than 12 happen in a 60 second window from a single source IP address? – JimB Jun 14 '20 at 21:35