I noticed that I occasionally get remote sip registration attempts. While fail2ban picks these attempts and bans them, I would like to be able to take a more stringent approach by preventing any sip registration requests hitting my server unless it is coming from a phone on the local network. I do not have any remote handsets so this approach should stop hacking attempts coming via established trunks.
Any suggestions, pointers, or pitfalls in doing this?
Thanks
EDIT: I cannot use the firewall module as I am running Raspbx.
Also, if you have a firewall in front of the RasPI, you can restrict access to port 5060 (or the new port you are using) on the external firewall. The only people that should be accessing your port 5060 from outside the local network are any remote users you have (who should arguably using a VPN) and your ITSP. If you only have ITSP accessing port 5060 from the outside, restrict 5060 for everyone, but let your ITSP in.
Hi Dave, I did have the port 5060 locked down on my firewall and allowed only the voip providers the access through it. Despite this I have seen a few, not many, SIP Registration Requests coming through which would be only possible if they were some how using the voip provider’s connection to get through? I guess, if one has a active voip provider account then using a PC one could make a SIP Registration Request to my server which will be wrapped in a SIP 5060 packet coming from the voip provider??? Just a thought…would like to know your views on this.
What I end up doing was to set the fail2ban timeout very long (months), retry limit to 1 and get fail2ban to ignore local IPs. Although fail2ban does not provide proactive defence this seems to be working well for the time being.