install fail2ban and configure for asterisk
and configure asterisk for fail2ban.
visit http://www.fail2ban.org/wiki/index.php/Asterisk for detailed instructions.
For Asterisk versions before 10.x you may apply a patch to chan_sip.c to report properly, or you may do following:
add this line to your rc.local or boot.local
ngrep -D -W none -i '403 Forbidden..Via:' port 5060 | while read line; do echo "[`date +%Y-%m-%d' '%H:%M:%S`] $line" |egrep -h '403 Forbidden..Via:' | egrep -o '^.*From:' ; done >> /var/log/asterisk/messages &
ngrep is available from http://ngrep.sourceforge.net/
and add following line to /etc/fail2ban/filter.d/asterisk.conf
SIP/2.0 403 Forbidden..Via:.*;received=;rport=.*
I is crude, but it works using minimal ammout of resources
The downside is that you have to restart it if run a logrotate.

edit /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local and in section [asterisk-iptables]
add voipfraud
right bellow
action = iptables-allports[name=ASTERISK, protocol=all]

download http://www.voipfraud.org/files/voipfraud.conf and put it in /etc/fail2ban/action.d/
you may use
cd /etc/fail2ban/action.d/
wget http://www.voipfraud.org/files/voipfraud.conf
edit the file and put your email address in place of your@email.address and change report=1 to report=0 if you do not wish to receive notifications about reported by your system ips in line actionban =

Restart your fail2ban.
This will automatically report every banned IP by fail2ban to our database.
variable report can be 1 or 0 and it is used to send you an email report every time your system reports IP and/or updates IPS
Please make sure you exclude your IPs and your legit customers using ignoreip in jail.conf/jail.local file.

Download http://www.voipfraud.org/files/voipfraud.sh and put in /usr/local/sbin/.
or you may use
cd /usr/local/sbin/
wget http://www.voipfraud.org/files/voipfraud.sh
As before, edit voipfraud.sh file and make following changes if needed:
ALL=0 #0 or 1; if set, the script will block source IP from all ports; UPORT and TPORT will not matter
UPORT=5060:5160 #UDP #sip port 5060 or port range 5060:5070 or multiport 5060,5038,80,443,25,80:90,8080...... up to 15 ports or ranges
TPORT=5038,8080:9080 #TCP ports only 5060 or port range 5060:5070 or multiport 5060,5038,80,443,25,80:90,8080...... up to 15 ports or ranges
#any changes made above require require flushing iptables "iptables -F" and re-running this script
EMAIL=your@vaild.email #your email address
REPORT=1 #whether you wish to receive a reports via email, good for testing

chmod 755 /usr/local/sbin/voipfraud.sh

setup cron job to run it daily
5 5 * * * /usr/local/sbin/voipfraud.sh
or
48 * * * * /usr/local/sbin/voipfraud.sh
to run it hourly.

If you wish, you may save your iptables to survive a reboot, or just add /usr/local/sbin/voipfraud.sh to your /etc/rc.local or /etc/rc.d/boot.local depending on your linux flavor.

[ home | search | report | warranty | statistics | register | members | install | secure asterisk | commercial services ]

Copyright © 2024 VoipPlus