I tried implementing it alongside the FreePBX Firewall but it doesn’t work. It does when the FreePBX firewall is disabled.
I believe these rules need to be added to some other jail than INPUT.
I don’t think that is what is being asked, and chan_sip and chan_pjsip are not actually that different, except that FreePBX prioritises IP over username, whereas chan_sip always prioritises user over IP.
I don’t think the OP is actually interested in source identifiers, but rather the request URI, presumably because attackers don’t bother doing a reverse lookup when constructing their requests. As this is registrations, they may be talking about the address of record in the To header.
I’m not sure, but, if this is about AORs, I have a feeling that chan_pjsip permits AORs to contain both user and domain, whereas I think chan_sip only ever matches on the user part.
Maybe the OP can clarify the request type and which part of the request they are interested in.
I’m assuming that /ucp was supposed to mean /UDP. However, UDP doesn’t convey domain names, so any domain name presence check can only be done on the application level (SIP) data.
david55 is correct. most hackers do their approach using IP address and don’t bother to do a reverse lookup.
If I could block requests that have an IP address in the URL, and only allow requests that have a domain name in the URL, that should eliminate hackers that approach with an IP address in the URL.
By chance has anyone done this with the FreePBX firewall?
You can put a ‘reverse proxy’ in front of your services that enforces ‘strict SNI’. The proxy answers all connections and can drop IP based connections but forwards proper TLS traffic to the right service. (Personally I use HAProxy, I guess you could call it a ‘firewall’ of sorts )
It sounds like what is needed is to make real service a virtual host and have the fallback, for no Host: header, be an error. How you do that within the FreePBX framework, I’ll leave to others.
-A INPUT -m string --algo bm --string "my.domain.com" -j ACCEPT
An example but keep in mind, you need to account for the other firewall rules too so you need to adjust accordingly to jump into the right chain for the existing firewall rule or whatever other rules you want.
The HTTP requests may well not be sent with a Host header, so the IP address may not exist as a string in requests.
The original form of an HTTP request was something like:
GET /ucp HTTP/1.0
and I think the current official way is:
GET /ucp HTTP/1.1
Host: your-domain-name
so something issuing basic HTTP requests will not actually be sending domain or IP address.
(It is possible to send the absolute URL on the request line, but that is normally only for proxies. The very original HTTP didn’t, I believe, have the third stanza on the request line.)
Given that it is 2023 , perhaps consider insisting on TLS for connections for security and customer trust.
HAProxy set with as many ‘front ends’ for either TCP or HTTP, as you need will efficiently drop IP based connections then check certificates by URL and ultimately redirect approved connections to any number of ‘back ends’ . This it can do much quicker and cheaper than iptables followed by cert checking per service.
Put such a system between the internet and your internal services and have ‘front ends’ for UCP, provisioning, admin, webrtc , sips and anything else.
http traffic is rewriten to https, so custoners can type ‘u.r.l’ or ‘http://u.r.l’’ or ‘https://u.r.l’ and modern browsers will show green and not complain.
Now we find that
‘ucp.my.url’ goes to your UCP docroot
‘my.url/ucp’ can go to the same docroot
‘mysecreturl.com’ can go to your admin docroot (as could 'my.url/admin)
‘mumbojumbo.live’ goes to your provisioning docroot.
All phone stuff is filtered to only pass url based connections through to the asterisk TLS transport.
All certifications are centralized and cron updated automatically (I use acme.sh and a compliant name service over DNS01 so no effing with apache or firewall needed), your web server can remain http only, no rewriting necessary.
keep an eye on your access and error logs of your web server and your fail2ban and asterisk logs as always.
Thats a good thought. I was worried about RTP not having the FQDN in it. I didn’t know if it did or not, now I know.
What about modifying the advanced firewall parameters to only lock down the FQDN requirement for a certain port where the known traffic does indeed use FQDN. See below I added in port 1220 to your original example. Is this a valid entry?
-A INPUT -m string --algo bm --string “my.domain.com:1220” -j ACCEPT
-A INPUT -m string --algo bm --string “111.222.333.444:1220” -j DENY
I believe it should look like this (not sure which jail to put it to when using FreePBX Firewall):
-A INPUT -p tcp --dport 1220 -m string --string “my.domain.com” --algo bm -j ACCEPT
-A INPUT -p tcp --dport 1220 -m string --string “111.222.333.444” --algo bm -j DROP
I suggest that you are tilting at a windmill that is not the only windmill to concern yourself with ( there are lots of them ). Think about getting a newer lance and a wider visor
I fought this battle for years as we all seem to be doing here, going my suggested way goes towards new pragma running over old dogma, Pretty well 99.99% of all SIP penetration problems will be rooted at UDP:5060, and many of them originate by previous probes to IP based ‘drive-by’s’ ( not necessarily originally to VOIP as has been suggested here, the bad guys are so far cleverer than us) , so as the answer to “every-time I do that it hurts” is just “Then don’t do that !”