How to secure Asterisk and FreePBX from VoIP Fraud and Brute force attacks

In this guide, I’ll show you how to secure your Asterisk and FreePBX setup by setting up an
effective VoIP Blacklist using Geo-location filtering. Nowadays there are lots of brute force
attack and VoIP Fraud attempts targeting Asterisk, FreePBX and any other PBX system on
the internet. It is a task of any systems Administrator to ensure success rate for such attempts
is minimized – close to zero. One way to secure Asterisk and FreePBX from such attempts is
by using Fail2ban and VoIP Blacklist.

This will save you bandwidth and protect your business. To make our work easier, we will
use VoIPBL which is distributed VoIP blacklist that is aimed to protects against VoIP Fraud
and minimizing abuse of a network that has publicly accessible PBX’s.

This guide is a part of building an enterprise open source VOIP System on Linux. If you don’t
have Asterisk or FreePBX installed, check:
How VoIPBL secure?

VoIPBL Geolocation feature allows you to block all network traffic from countries that a
network does not need to communicate with, or that are known originators of malicious
activity. From their site, you can check if your IP address is on the blacklist.

How to install VoIPBL

VoIP Blacklist depends on Fail2ban to effect blacklisting on your PBX server. Ensure you
have a fail2ban package installed and service running:

sudo yum install epel-release

sudo yum install fail2ban fail2ban-systemd

For Ubuntu and other Debian families, run:

sudo apt-get -y install fail2ban ufw

If you’re running CentOS 6 or any other RHEL 6 family, install iptables-

services and fail2ban without fail2ban-systemd

sudo yum install iptables-services fail2ban

Default settings for Fail2ban are configured on. /etc/fail2ban/jail.conf

A basic fail2ban configuration will have ssh monitoring. Let’s add this to
/etc/fail2ban/jail.local file.
$ sudo vim /etc/fail2ban/jail.local

Add the following content:

[postfix]
enabled = true
port = smtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 3
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[vsftpd]
enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 5

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

Then start and enable fail2ban service

sudo systemctl enable fail2ban.service

sudo systemctl start fail2ban.service

Download voipbl.sh script and place it under /usr/local/bin/

Make the script executable:

chmod +x /usr/local/bin/voipbl.sh

The above uses iptables. If your system support ipset, you can use the following script
instead:

#!/bin/bash

URL="http://www.voipbl.org/update/"

set -e
echo "Downloading rules from VoIP Blacklist"
wget -qO - $URL -O /tmp/voipbl.txt

echo "Loading rules..."

# Check if rule set exists and create one if required
if ! $(/usr/sbin/ipset list voipbl > /dev/null 2>&1); then
ipset -N voipbl iphash
fi

#Check if rule in iptables

if ! $(/sbin/iptables -w --check INPUT -m set --match-set voipbl src -j
DROP > /dev/null 2>&1); then
/sbin/iptables -I INPUT 1 -m set --match-set voipbl src -j DROP
fi

# Create temporary chain

ipset destroy voipbl_temp > /dev/null 2>&1 || true
ipset -N voipbl_temp iphash

cat /tmp/voipbl.txt |\
awk '{ print "if [ ! -z \""$1"\" -a \""$1"\" != \"#\" ]; then
/usr/sbin/ipset -A voipbl_temp \""$1"\" ;fi;"}' | sh

ipset swap voipbl_temp voipbl

ipset destroy voipbl_temp || true

echo "Done! Rules loaded"

Then add a new Fail2ban Jail on /etc/fail2ban/jail.conf:

[asterisk-iptables]
action = iptables-allports[name=ASTERISK, protocol=all]
voipbl[serial=XXXXXXXXXX]

Now define the VoIP Blacklist actions for Fail2ban

on /etc/fail2ban/action.d/voipbl.conf.
sudo vim /etc/fail2ban/action.d/voipbl.conf

Add:
# Description: Configuration for Fail2Ban

[Definition]

actionban = <getcmd> "<url>/ban/?

serial=<serial>&ip=<ip>&count=<failures>"
actionunban = <getcmd> "<url>/unban/?
serial=<serial>&ip=<ip>&count=<failures>"

[Init]

getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \

--read-timeout=60 --retry-connrefused --output-document=- \
--user-agent=Fail2Ban
url = http://www.voipbl.org

We can now create cron job file to update rules every 3 hours:

$ sudo vim /etc/cron.d/voipbl

# update blacklist each 4 hours

0 */4 * * * * root /usr/local/bin/voipbl.sh

When done, restart fail2ban daemon to get protected against VoIP Fraud:

sudo systemct restart fail2ban

You can also do advanced configurations like:

 Filter by Country
 Filter by Network

For further reading, check the Asterisk Security document by VOIP-info.