Posted on Tuesday, 19th October 2010 by Michael
What is SIPBAN:
SIPBAN is an addon for the advance policy firewall written by “R-FX Networks (http://www.rfxn.com)”. This addon is will search your asterisk logs for failed registration attempts from unknown networks and ban the IP address. This helps thwart SIP secret guessing and other SIP based attacks.
How to configure and use the script:
Configuration of the script is done by variables. The most important variables are gIP1 and gIP2. These variables are where you can define friendly networks not to ban. For example your work network is 192.168.2.x. So gIP1 would look like this gIP1=192.168.2. You could do just 192.168 but that leaves a lot of room for IP spoofing even though that is a RFC 1918 IP. You can use gIP2 for your home network or a remote office. To add more friendly networks just add more gIP variables in the variable section and edit line 15 of the script by adding an addition “ | grep –v “$gIP#” to the line right after the last one. Repeat this as much as you need to.
Once you made those changes save the script and change the permission of the script using chmod so it now executable.
Before you execute the script make sure you have “APF” installed and configured to your requirements. To configure APF for use in a PBX in environment leave egress filtering to “0” as in disabled and set ingress filtering to TCP 22, 80 and UDP 5060_6000 and 10000_20000. Once that is done make sure that APF is still in development mode . This insures that if you ban yourself or if you did not set the ports right you will be able to get back in after 5 minutes. Finally start APF by issuing the command apf –s.
Now that APF is running run a test of SIPBAN. To do this run the command ./sipban.sh. Nothing will show on the screen. Once it returns back to a command line you can view the log at /var/tmp/sipban.log. If everything looks successful then you can edit the APF config to take it out of development mode and restart APF.
At this point you are ready to schedule SIPBAN via the cron to run on whatever cycle you want. Since it is parsing a large log file I would do a minimum of 1 hour depending on how much ram your PBX has.
0 * * * * /root/sipban.sh
Where to get SIPBAN:
To get a copy of SIPBAN click the following link http://www.digitaloffensive.com/files/sipban.sh
If you have any questions or comments please feel free to contact us.