Integrating apiban.org with FreePBX


#21

I don’t have a good strategy for TLS but believe that a good one is possible and would very much like to discuss it.

HTTPS for admin GUI and UCP is no problem; all modern browsers support SNI.

HTTPS for provisioning is an issue for some older devices without SNI. I believe that using HTTP with encrypted content is an adequate workaround; nearly all devices made in the last 15 years support it.

SIP over TLS is the big issue. I’d like to find a survey of IP phones, ATAs, softphones and SIP apps detailing which TLS features are supported. Requiring a client cert signed by the org is best, as that also defends against targeted attacks. SNI would be next best, but I suspect that most devices that don’t support the client cert don’t support SNI either.

Any ideas in this area would be most welcome.


(Lorne Gaetz) #22

Day 4 - More of the same. There seems to be about 1 case a day where a single IP gets thru the blacklist and attempts to do something it shouldn’t. Actual brute force attempts are stopped by fail2ban, the anonymous calls just seem to stop on their own after a few min of getting nowhere.

IP rules set is now at 500


#23

Would have to comment that there are probably more than 500 ip’s in the world involved in trying to get to UDP/5060.

This blacklist seems to be adding about two /32 networks per hour, It might take a while to catch up.


#24

This will also be an ongoing problem because this blacklist is incremental and supplemental , so duplicate blocks will further bog iptables down and there is no mechanism to sanitize the chain

2020/08/23 02:10:22 Blocking 185.180.231.199/32
2020/08/25 15:20:01 Blocking 185.180.231.199/32

(That address has also long been in VOIPBL, but only once :wink: )


#25

OK, take two

If you listen on UDP/5060 there will be lots of hits and you can add blacklists and chains and all sorts of stuff to filter that crap out, be that a 500 record blacklist or a 100000 blacklist. (I will let you choose the likely effective one, you can of course use more than one but use ipset over iptables at your peril)

If you only listen on TLS/5061 with a domain name that returns your ip address with “dig x domain.name” any ‘hits’ will mean that you are the subject of a second level directed attack. (there is nothing to stop you using TLS/50619 if you want to)

As @sorvani suggested using a domain name WITHOUT any reverse DNS records kinda makes you really quite robust but the certs used might have to be self-generated.


(Lorne Gaetz) closed #26

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.