install fail2ban and configure for asterisk
and configure asterisk for fail2ban.
visit http://www.fail2ban.org/wiki/index.php/Asterisk for detailed instructions.
For Asterisk versions before 10.x you may apply a patch to chan_sip.c to report properly, or you may do following:
add this line to your rc.local or boot.local
ngrep -D -W none -i '403 Forbidden..Via:' port 5060 | while read line; do echo "[`date +%Y-%m-%d' '%H:%M:%S`] $line" |egrep -h '403 Forbidden..Via:' | egrep -o '^.*From:' ; done >> /var/log/asterisk/messages &
ngrep is available from http://ngrep.sourceforge.net/
and add following line to /etc/fail2ban/filter.d/asterisk.conf
SIP/2.0 403 Forbidden..Via:.*;received=
I is crude, but it works using minimal ammout of resources
The downside is that you have to restart it if run a logrotate.
edit /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local and in section [asterisk-iptables]
action = iptables-allports[name=ASTERISK, protocol=all]
download http://www.voipfraud.org/files/voipfraud.conf and put it in /etc/fail2ban/action.d/
you may use
edit the file and put your email address in place of firstname.lastname@example.org and change report=1 to report=0 if you do not wish to receive notifications about reported by your system ips in line actionban =
Restart your fail2ban.
This will automatically report every banned IP by fail2ban to our database.
variable report can be 1 or 0 and it is used to send you an email report every time your system reports IP and/or updates IPS
Please make sure you exclude your IPs and your legit customers using ignoreip in jail.conf/jail.local file.
Download http://www.voipfraud.org/files/voipfraud.sh and put in /usr/local/sbin/.
or you may use
As before, edit voipfraud.sh file and make following changes if needed:
ALL=0 #0 or 1; if set, the script will block source IP from all ports; UPORT and TPORT will not matter
UPORT=5060:5160 #UDP #sip port 5060 or port range 5060:5070 or multiport 5060,5038,80,443,25,80:90,8080...... up to 15 ports or ranges
TPORT=5038,8080:9080 #TCP ports only 5060 or port range 5060:5070 or multiport 5060,5038,80,443,25,80:90,8080...... up to 15 ports or ranges
#any changes made above require require flushing iptables "iptables -F" and re-running this script
EMAILemail@example.com #your email address
REPORT=1 #whether you wish to receive a reports via email, good for testing
chmod 755 /usr/local/sbin/voipfraud.sh
setup cron job to run it daily
19 9 * * * /usr/local/sbin/voipfraud.sh
55 * * * * /usr/local/sbin/voipfraud.sh
to run it hourly.
Copyright © 2018 VoipPlus