Hello,
I tried to use the below rules to protect a sip server but what i see it's droping our clients IPs as well, can anyone advise what do i need to do?
Are these rules well created? Does anyone have a better approach?
Thanks in advance!
/ip firewall filter add chain=forward in-interface=ether1-gateway src-address-list="SIP Hacker" action=drop
/ip firewall filter add chain=forward protocol=udp dst-port=5060 connection-state=new src-address-list="SIP Trial" in-interface=ether1-gateway action=add-src-to-address-list address-list="SIP Hacker" address-list-timeout=1d
/ip firewall filter add chain=forward src-address=0.0.0.0/0 protocol=udp dst-port=5060 in-interface=ether1-gateway connection-state=new action=add-src-to-address-list address-list="SIP Trial" address-list-timeout=00:00:15
Re: SIP Firewall Rules
15 minutes might be way too long for a UDP service like SIP, depending on the heartbeat interval you use.
Basically, if a SIP device registers to the server, and doesn't communicate for a while, then connection tracking will delete the connection entry because it hasn't seen any activity lately.
Then suppose the phone sends another heartbeat - the phone's already registered, so it's not a "new" connection, conceptually speaking, but from the connection tracker's point of view, it IS a new connection, because it previously deleted the connection from the table as inactive.
Either extend the idle timeout value for UDP connections, shorten the timeout on the "trial" entries, or shorten the keepalive interval on the phones.
Furthermore, this behavior you've implemented with address lists works - but you could just use the built-in rate-limit matcher on your rules.
If your SIP isn't encrypted with TLS, then you could create an L7 protocol matcher which looks for SIP reject messages and apply that to your firewall rules watching udp:5060.
Be careful that you allow for some breathing room because SIP Auth naturally includes a reject message with the challenge phrase from the server... Basically if you see several REJECTS within a short period, that is a SIP hacker, and that rule should fall through to a blacklist rule.
Another idea might be to watch for successful registration accept messages, and add those addresses to a "known-good" address list which is exempted from further scanning.
Basically, if a SIP device registers to the server, and doesn't communicate for a while, then connection tracking will delete the connection entry because it hasn't seen any activity lately.
Then suppose the phone sends another heartbeat - the phone's already registered, so it's not a "new" connection, conceptually speaking, but from the connection tracker's point of view, it IS a new connection, because it previously deleted the connection from the table as inactive.
Either extend the idle timeout value for UDP connections, shorten the timeout on the "trial" entries, or shorten the keepalive interval on the phones.
Furthermore, this behavior you've implemented with address lists works - but you could just use the built-in rate-limit matcher on your rules.
If your SIP isn't encrypted with TLS, then you could create an L7 protocol matcher which looks for SIP reject messages and apply that to your firewall rules watching udp:5060.
Be careful that you allow for some breathing room because SIP Auth naturally includes a reject message with the challenge phrase from the server... Basically if you see several REJECTS within a short period, that is a SIP hacker, and that rule should fall through to a blacklist rule.
Another idea might be to watch for successful registration accept messages, and add those addresses to a "known-good" address list which is exempted from further scanning.
Re: SIP Firewall Rules
@ ZeroByte
What you are saying is amazing, and could be used even to protect web server with wordpress or Drupal.
Where could I read about firewall by layer 7 script?
I have been through the wiki but no luck yet.
Thanks,
What you are saying is amazing, and could be used even to protect web server with wordpress or Drupal.
Where could I read about firewall by layer 7 script?
I have been through the wiki but no luck yet.
Thanks,
Re: SIP Firewall Rules
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7
Couple of things to keep in mind.
1.) Layer7 is VERY CPU hungry, use it sparingly and only on specific traffic that you know you want to watch.
2.) Layer7 only sees the first 2KB or 10 packets of a connection, it not meant to watch every packet that goes through the router. Anything you are looking for MUST be within those first 2 KB or 10 packets for it to work.
3.) Layer7 will NOT work on encrypted traffic, at least not the way you are looking for. You are using regular expressions to try and match specific packets/connections. If the traffic is encrypted, there is no way to look inside of the connection to see if the regular expression will match.
Couple of things to keep in mind.
1.) Layer7 is VERY CPU hungry, use it sparingly and only on specific traffic that you know you want to watch.
2.) Layer7 only sees the first 2KB or 10 packets of a connection, it not meant to watch every packet that goes through the router. Anything you are looking for MUST be within those first 2 KB or 10 packets for it to work.
3.) Layer7 will NOT work on encrypted traffic, at least not the way you are looking for. You are using regular expressions to try and match specific packets/connections. If the traffic is encrypted, there is no way to look inside of the connection to see if the regular expression will match.
Re: SIP Firewall Rules
For wordpress, or other server-hosted things, I'd prefer to use fail2ban on the server itself.@ ZeroByte
What you are saying is amazing, and could be used even to protect web server with wordpress or Drupal.
Where could I read about firewall by layer 7 script?
I have been through the wiki but no luck yet.
Thanks,
If you wanted to get really, really clever with fail2ban, you could use the php Mikrotik API on the server in a custom fail2ban action script that pushes the IP into a Mikrotik address-list from the server, so the Mikrotik isn't watching the ports - but it can block the ports if any of the servers ask it to.
Re: SIP Firewall Rules
Hi, Did you know how to made a layer 7 ?
Now, I want to control LINE app via layer 7.
Now, I want to control LINE app via layer 7.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7
Couple of things to keep in mind.
1.) Layer7 is VERY CPU hungry, use it sparingly and only on specific traffic that you know you want to watch.
2.) Layer7 only sees the first 2KB or 10 packets of a connection, it not meant to watch every packet that goes through the router. Anything you are looking for MUST be within those first 2 KB or 10 packets for it to work.
3.) Layer7 will NOT work on encrypted traffic, at least not the way you are looking for. You are using regular expressions to try and match specific packets/connections. If the traffic is encrypted, there is no way to look inside of the connection to see if the regular expression will match.
Re: SIP Firewall Rules
Check the manual that was linked, it has a link to a website that has several L7 Filters that you can try and use:Hi, Did you know how to made a layer 7 ?
Now, I want to control LINE app via layer 7.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7
http://l7-filter.sourceforge.net/protocols
Past that, get a packet capture of what you want and play around with some regex editors.
Who is online
Users browsing this forum: kormenator and 192 guests