Secure Asterisk and FreePBX from VoIP Fraud and Brute force attacks

In this guide, I’ll show you how to secure your Asterisk and FreePBX setup by setting up an effective VoIP Blacklist using Geo-location filtering. Nowadays there are lots of brute force attack and VoIP Fraud attempts targeting Asterisk, FreePBX and any other PBX system on the internet.

It is a task of any systems Administrator to ensure success rate for such attempts is minimized – close to zero. One way to secure Asterisk and FreePBX from such attempts is by using Fail2ban and VoIP Blacklist.

This will save you bandwidth and protect your business. To make our work easier, we will use VoIPBL which is distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse of a network that has publicly accessible PBX’s.

This guide is a part of building an enterprise open source VOIP System on Linux. If you don’t have Asterisk or FreePBX installed, check:

For Ubuntu and Debian: How to Install Asterisk 16 with FreePBX 14 on Ubuntu / Debian

How to Install Asterisk 16 LTS on CentOS 7 / Fedora

How VoIPBL secure?

VoIPBL Geolocation feature allows you to block all network traffic from countries that a network does not need to communicate with, or that are known originators of malicious activity. From their site, you can check if your IP address is on the blacklist.

How To install VoIPBL

VoIP Blacklist depends on Fail2ban to effect blacklisting on your PBX server. Ensure you have a fail2ban package installed and service running:

sudo yum install epel-release
sudo yum install fail2ban fail2ban-systemd

For Ubuntu and other Debian families, run:

sudo apt-get -y install fail2ban ufw

If you’re running CentOS 6 or any other RHEL 6 family, install  iptables-services and fail2ban without fail2ban-systemd

sudo yum install iptables-services fail2ban

Default settings for Fail2ban are configured on./etc/fail2ban/jail.conf

A basic fail2ban configuration will have ssh monitoring. Let’s add this to /etc/fail2ban/jail.local file.

$ sudo vim /etc/fail2ban/jail.local

Add the following content:

[postfix]
enabled  = true
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 3

[ssh]
enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

[vsftpd]
enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 5

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

Then start and enable fail2ban service:

sudo systemctl enable fail2ban.service
sudo systemctl start fail2ban.service

Download voipbl.sh script and place it under /usr/local/bin/

wget http://www.voipbl.org/voipbl.sh -O /usr/local/bin/voipbl.sh

Make the script executable:

chmod +x /usr/local/bin/voipbl.sh

The above uses iptables. If your system support ipset, you can use the following script instead:

#!/bin/bash

URL="http://www.voipbl.org/update/"

set -e
echo "Downloading rules from VoIP Blacklist"
wget -qO - $URL -O /tmp/voipbl.txt

echo "Loading rules..."

# Check if rule set exists and create one if required
if ! $(/usr/sbin/ipset list voipbl > /dev/null 2>&1); then
  ipset -N voipbl iphash
fi
  
#Check if rule in iptables
if ! $(/sbin/iptables -w --check INPUT -m set --match-set voipbl src -j DROP > /dev/null 2>&1); then
 /sbin/iptables -I INPUT 1 -m set --match-set voipbl src -j DROP
fi
 
# Create temporary chain
ipset destroy voipbl_temp > /dev/null 2>&1 || true
ipset -N voipbl_temp iphash
 
cat /tmp/voipbl.txt |\
  awk '{ print "if [ ! -z \""$1"\" -a \""$1"\"  != \"#\" ]; then /usr/sbin/ipset  -A voipbl_temp \""$1"\" ;fi;"}' | sh
 
ipset swap voipbl_temp voipbl
ipset destroy voipbl_temp || true
 
echo "Done! Rules loaded"

Then add a new Fail2ban Jail on /etc/fail2ban/jail.conf:

[asterisk-iptables]
action = iptables-allports[name=ASTERISK, protocol=all]
         voipbl[serial=XXXXXXXXXX]

Now define the VoIP Blacklist actions for Fail2ban on /etc/fail2ban/action.d/voipbl.conf.

sudo vim  /etc/fail2ban/action.d/voipbl.conf

Add:

# Description: Configuration for Fail2Ban

[Definition]

actionban   = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>"
actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>"

[Init]

getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \
              --read-timeout=60 --retry-connrefused --output-document=- \
	      --user-agent=Fail2Ban

url = http://www.voipbl.org

We can now  create cron job file to update rules every 3 hours:

$ sudo vim /etc/cron.d/voipbl

# update blacklist each 4 hours
0 */4 * * * * root /usr/local/bin/voipbl.sh

When done, restart fail2ban daemon to get protected against VoIP Fraud:

sudo systemct restart fail2ban

You can also do advanced configurations like:

• Filter by Country
• Filter by Network

For further reading, check the  Asterisk Security document by VOIP-info.