Argh, no wonder you all kept asking about this ruleset. I found one MAJOR error, but I am still not getting the results I want. The major error is that you should not be blocking dst but the src
Either way, in psudo here is what I think we are trying to accomplish:
If address is in sip_blacklist BAN AND BURN IP COMPLETELY
If traffic is to port 5060-5099 and source IP is in sip-allow; accept
If traffic is to port 5060-5099 and connections/second under X; accept
If traffic is to port 5060-5099 and connections/second is over X; add source of traffic to sip_blacklist
I keep getting good ips added to the ban list even ones in the white list, so I have disabled rule 0 for now. Does the accept rule not skip subsequent rules?
Take a look at SecAst (http://www.telium.ca?secast). It watches for a variety of SIP attacks, can block based on geographic source of IP, watch for unusual calling patterns, etc. And best of all, it can talk to a MikroTik router to manage a list of blocked IP’s.
It’s Asterisk specific (but based on the error messages you posted you’re running Asterisk)
EDIT: Note URL changed to www.telium.ca for this vendor.
We’ve installed SecAst on call center and healthcare Asterisk servers (large scale installations). If you’re targetting home/small office then FREE is certainly the way to go…
The real danger is a customer with several SIP phones behind a single NAT. This would easily exceed the threshold
I would probably opt to use fail2ban on the Asterisk box itself.
If the Asterisk box has iptables installed, just firewall it right there.
If not, a “knock” packet would be easily done as well. - Just make fail2ban send a “strange” packet
of a certain size with a certain source - say UDP SrcAddr = 6.6.6.6 srcPort = 666 and Dst IP=(offender), Dst Port = 5060
Pad the packet to a recognizable size (666bytes? haha). Match these in the router and add dst-addr to ban list.
I am trying to make fail2ban work with mikrotik by adding the problematic addresses to the list. If I succeed, I will make a post with a detailed description. I started from here http://wiki.mikrotik.com/wiki/Use_Mikrotik_as_Fail2ban_firewall but this will not work as it is described on the link… It needs modifications.
That solution you linked to is for a no-password ssh session to log into the MT and executing commands.
You don’t really need all of that - if you can make a bash script that sends an unusual packet from a packet generation utility, (e.g. sendip) then you’re good to go. In my example, you could send a UDP packet with very specific values e.g.
src-IP = 7.7.7.7
src-port = 777
dst-IP =
dst-port = 666
You should never receive such a packet from your ISP as the destination is not in your network, but if you want more security, you could make the contents of the packet have some sort of security phrase/hash to match against in the Mikrotik with the contents check in addtion to the stuff below. (Also a good idea if you’re an ISP and have users behind this router able to send such packets maliciously)
Next you make a rule in forward chain that matches such packets, and adds dst-ip to the BANLIST
e.g.:
/ip firewall filter add chain=forward in-interface= src-address=7.7.7.7 protocol=udp src-port=777 dst-port=666 dst-address-list=!UnBannable action=add-dst-to-address-list address-list=BANLIST address-list-timeout=2d
If you use the dst-address-list=!UnBannable criteria, then you can exempt addresses/networks from being banned by adding them to the UnBannable list.
Now you put two rules into the forward chain:
/ip firewall filter add chain=forward src-address-list=BANLIST action=drop
/ip firewall filter add chain=forward dst-address-list=BANLIST action=drop
Make sure the positioning of these rules in your forward chain makes sense.
