[kwlug-disc] Blocking SIP registrations

[L.D. Paniak]

Generally, an Asterisk server only needs to accept SIP connections from
a very limited number of external sites:  your VoIP provider(s) and any
external users.

The best solution is to firewall the system.  *Drop* all inbound traffic
and only allow the IP addresses of sites that need access on 5060UDP
(typically - if you have exceptions you probably already know them). 
TCP ports are usually not used for SIP and only serve as an invitation
to attackers.  If unsure, block everything and then add exceptions until
the complaints stop.

Leaving a SIP server un-firewalled on the Internet is highly
un-recommendable.  In addition to SIP attacks, most SIP distributions
ship with web interfaces with rather imperfect attention to security. 
These need to be firewalled as well.

Ideally, a SIP server should not appear in a TCP port scan.  If remote
access is required, a UDP VPN solution like OpenVPN works well. 

On 01/13/2015 05:08 PM, Paul Nijjar wrote:
> So Herman (who is currently off kwlug-disc but might rejoin) is
> wondering how to keep people from hammering his Asterisk server with
> attempted SIP registrations. He tried fail2ban but found it was not
> working for him. He asked me about a product called SecAst
> (http://www.generationd.com/?target=secast) but being an Asterisk
> newbie I had never heard of it. 
>
> Questions for Asterisk people: 
>
> 0. How do you secure your server against attempts to brute force SIP
> connections?
>
> 1. Have you heard of this product? Do you have opinions?
>
> 2. Are there other tools Herman should try? Ways to tune fail2ban so
> that it works?
>
> - Paul
>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20150113/116b00f0/attachment.sig>