Community discussions

MikroTik App
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

How to prevent random SIP attacks on default port 5060

Fri Aug 05, 2022 1:46 am

Hello Mikrotik experts,
I set up a FreePBX (Asterisk) server in my home and opened a 5060 UDP port using my Mikrotik RB951G-2HnD router. Currently, I did not set any firewall filtering rule to secure the 5060 port. Now the problem is when I look into the asterisk log file, I noticed a bunch of unusual activity there. It looks like my server getting random SIP attacks using port 5060. Because of that, my PBX server's CPU & memory usage always remains high. I know that I can change the default port 5060 to something else but why will not I secure this port and use the default one? It's easy for everyone to use the default one.

In my asterisk log file, I found thousands of lines like this:
[2022-08-04 22:03:10] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:141@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:61176' (callid: e5f4a479704493e4f7a) - Failed to authenticate
[2022-08-04 22:03:14] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:141@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:61176' (callid: e5f4a479704493e4f7a) - Failed to authenticate
[2022-08-04 22:03:20] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:284@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:53437' (callid: e5f4a614058530e4f7a) - Failed to authenticate
[2022-08-04 22:03:20] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:284@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:53437' (callid: e5f4a614058530e4f7a) - Failed to authenticate
[2022-08-04 22:03:23] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:299@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:54905' (callid: e5f4a895692138e4f7a) - Failed to authenticate
[2022-08-04 22:03:36] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:315@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:50105' (callid: e5f4a487266884e4f7a) - Failed to authenticate
[2022-08-04 22:03:37] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:315@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:50105' (callid: e5f4a487266884e4f7a) - Failed to authenticate
Here,
  • XXX.XXX.XXX.XXX = My public IP
  • 10.10.10.1 = My local IP gateway
  • 10.10.10.0/24 = My local network IP
  • 10.10.10.111 = My PBX server's IP

Now, can you guys please help me out to stop this kind of attack? Once I installed FreePBX in a VPS with default port 5060 opened. In that VPS there was no unusual activity in the asterisk log file like this. Definitely, this attack can be prevented by using a firewall rule which I just don't know how. So if you know, please guide me to prevent this attack.

Thank You.
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Fri Aug 05, 2022 9:13 pm

No one???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to prevent random SIP attacks on default port 5060

Fri Aug 05, 2022 9:44 pm

Not sure what you mean by SIP.
Are you connecting to a SIP provider or are you pretending to be a SIP provider.
A normal home router does not have the capacity to handle attacks, its the ISP that should do this for ddos etc.........

Who is connecting to this server.
a. ensure that there is some sort of encryption to join (preferred)
b. ensure its password protected
c. ensure you use a source-address-list for the dst-nat rule, only those you authorize should use it.

the use of source-address list ensures that only those on the list can make it through the firewall rules, and the other benefit is that the port does NOT appear on scans. Without a source address the port will be visible on scans but appear as closed. Better to be invisible.

Recommend if possible that you instruct your authorized users to use a different easy to remember number and if you cant change it on your server then simply do port translation......
add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=55,555 protocol=tcp to=addresses=ServerIP to-ports=5060 src-address-list=Authorized

Where
/ip firewall address list
add address=fixedIP9user1 list=Authorized
add address=fixedIP-userxx list=Authorized
add address=dynamicDNSname-1 list=Authorized
add address=dynamicDNSname-xx list=Authorized.

In other words users come in on port 55,555 and if on the list gain access to your server on port 5060
If a user has a dynamic WANIP, they can easily get FREE dyndns names on the internet and the mikrotik router when you enter the name will automatically resolve it to the IP address.
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Fri Aug 05, 2022 10:21 pm

Take my apologies, I did not clear my scenario with this post.
I run a small size business with 15 employees. 10 of them are delivery personnel so they use mobile data to connect with my PBX server. I'm using a home internet connection with 300 Mbps of bandwidth. I brought a SIP Trunk connection from one of the SIP providers and using this as a call center number.

Who is connecting to this server.
It's me and my employees who are using this server. We've some office IP telephones and the rest of them are using the Groundwire SIP client app. Definitely, we're using strong passwords with our extensions. It's not like hackers managed to gain access to our extensions or something like that. I guess someone who is using scripts that keeps my server busy all the time.

the use of source-address list ensures that only those on the list can make it through the firewall rules, and the other benefit is that the port does NOT appear on scans. Without a source address the port will be visible on scans but appear as closed. Better to be invisible.
It's not possible in my case. Because maximum of my users is using mobile data which uses shared IP, not a public one.

If a user has a dynamic WANIP, they can easily get FREE dyndns names on the internet and the mikrotik router when you enter the name will automatically resolve it to the IP address.
Again, most of them are mobile data users. So this will be very complicated in my case.

How can I restrict/limit amount of requests per second on port 5060?
 
heavenlyangel
just joined
Posts: 18
Joined: Fri Apr 16, 2021 5:48 pm

Re: How to prevent random SIP attacks on default port 5060

Fri Aug 05, 2022 10:28 pm

Use fail2ban on your server
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Fri Aug 05, 2022 10:40 pm

Use fail2ban on your server
Yes, I'm using fail2ban with my server. But the problem is it blocks my internet gateway IP only after a few seconds it starts.

You can see here: "failed for '10.10.10.1:50105'". Where 10.10.10.1 is my router gateway.
[2022-08-04 22:03:36] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:315@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:50105' (callid: e5f4a487266884e4f7a) - Failed to authenticate

So when it blocks my Internet Gateway only after a few seconds, my server lost internet connection. If I whitelist my entire network 10.10.10.0/24 then I started receiving random SIP registration requests like this.

[2022-08-04 22:03:10] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:141@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:61176' (callid: e5f4a479704493e4f7a) - Failed to authenticate
[2022-08-04 22:03:14] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:141@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:61176' (callid: e5f4a479704493e4f7a) - Failed to authenticate
[2022-08-04 22:03:20] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:284@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:53437' (callid: e5f4a614058530e4f7a) - Failed to authenticate
[2022-08-04 22:03:20] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:284@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:53437' (callid: e5f4a614058530e4f7a) - Failed to authenticate
[2022-08-04 22:03:23] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:299@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:54905' (callid: e5f4a895692138e4f7a) - Failed to authenticate
[2022-08-04 22:03:36] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:315@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:50105' (callid: e5f4a487266884e4f7a) - Failed to authenticate
[2022-08-04 22:03:37] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:315@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:50105' (callid: e5f4a487266884e4f7a) - Failed to authenticate
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to prevent random SIP attacks on default port 5060

Fri Aug 05, 2022 10:52 pm

You probably have the SIP ALG (SIP helper) active on your Mikrotik so the connection seem to come all from your Mikrotik ?
Something like this

viewtopic.php?t=56265


The FAIL2BAN probably does not look at the <sip:315@XXX.XXX.XXX.XXX> IP address which contains the real public IP of the attempt.
Not sure if you can tune FAIL2BAN to work on certain fields from your logging in stead of only "failed for '10.10.10.1:50105'

It seems you can make some filter "custom" and that is what you need.

https://fail2ban.readthedocs.io/en/latest/filters.html

I would not waste my time looking to fix this on the Mikrotik side, it's not fully "fool proof" if you start limiting connection attempts etc.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to prevent random SIP attacks on default port 5060

Fri Aug 05, 2022 10:58 pm

consider the use of one cloud pbx
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 12:27 am

I don't know much about SIP and what exactly its ALG does, but it seems weird that it would change source addresses of all clients. Could it be that you just have some too broad srcnat rule doing that?
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 12:31 am

You probably have the SIP ALG (SIP helper) active on your Mikrotik so the connection seem to come all from your Mikrotik ?
Something like this

viewtopic.php?t=56265


The FAIL2BAN probably does not look at the <sip:315@XXX.XXX.XXX.XXX> IP address which contains the real public IP of the attempt.
Not sure if you can tune FAIL2BAN to work on certain fields from your logging in stead of only "failed for '10.10.10.1:50105'

It seems you can make some filter "custom" and that is what you need.

https://fail2ban.readthedocs.io/en/latest/filters.html

I would not waste my time looking to fix this on the Mikrotik side, it's not fully "fool proof" if you start limiting connection attempts etc.
SIP ALG is disabled in my router. And thank you for your suggestion, I'll look into Fail2Ban and will post update here!
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 12:36 am

consider the use of one cloud pbx
I could do that but there are restrictions in my country. I could not use my country's sip connection from any foreign country. So I've to self-host or use any VPS server from my country.
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 12:40 am

I don't know much about SIP and what exactly its ALG does, but it seems weird that it would change source addresses of all clients. Could it be that you just have some too broad srcnat rule doing that?
I don't have SIP ALG enabled. Also, I don't think it is related to SIP ALG.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 12:51 am

My point was, if I understand correctly that server sees all connections with 10.10.10.1 as source, it can be because of misconfigured srcnat.
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 1:10 am

My point was, if I understand correctly that server sees all connections with 10.10.10.1 as source, it can be because of misconfigured srcnat.
Oh sorry!
I setup NAT like this:

Chain: dstnat
Dst address: XXX.XXX.XXX.XXX (My public IP)
Protocol: 17 (udp)
Dst port: 5060
Action: dst-nat
To-addressess: 10.10.10.111 (my server IP)
To Port: 5060

Any suggestion?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 1:35 am

Never mind......
Last edited by msatter on Sat Aug 06, 2022 11:28 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 1:37 am

Dstnat is fine, but I meant srcnat, what rules you have there? Isn't it "popular" but wrong:
/ip firewall nat
add chain=srcnat action=masquerade
that applies to all connections, regardless of direction?
 
User avatar
Paco
just joined
Posts: 16
Joined: Mon Dec 22, 2014 10:50 pm
Location: Sofia, Bulgaria

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 1:47 am

Install fail2ban on freepbx and create custom action called for example mikrotik to make your PBX VM/Server/PI to block IP addresses directly on your mikrotik:
https://wiki.mikrotik.com/wiki/Use_Mikr ... n_firewall
Whitelist your known ip addresses in fial2ban in ignoreip section.

You also can make a custom Address List in mikrotik - for example called Fail2ban and modify actionban to add that IP addresses in that access list.
Make a firewall input rule -> if source address list is Fail2ban - Action DROP.

Here my action ban on few debian/almalinux machines:
root@lb: ~ $ cat /etc/fail2ban/action.d/mikrotik.conf
# Fail2Ban configuration file
#
# Author: Ludwig Markosyan
# Release 09/02/2013
#
# $Version: 1.0 BETA $
#
# Moded: Plamen Vasilev
# Date: 06/08/2022

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
#actionstart = mikrotik-fail2ban 'ip firewall address-list remove [find list="Fail2Ban"]'


# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
#actionstop = mikrotik-fail2ban 'ip firewall address-list remove [find list="Fail2Ban"]'


# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =


# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
#actionban = mikrotik ":ip firewall filter add action=drop chain=forward dst-address=<ip> comment=AutoFail2ban-<ip>"
actionban = /root/bin/mikrotik-fail2ban 'ip firewall address-list add address=<ip> comment="Blocked by Fail2Ban on <fq-hostname>. Service: <name>" list=Fail2Ban'
            /root/bin/mikrotik-fail2ban 'ip firewall connection remove [find where src-address~"<ip>"]'

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#

#actionunban =  mikrotik ":ip firewall filter remove [:ip firewall filter find comment=AutoFail2ban-<ip>]"
actionunban = /root/bin/mikrotik-fail2ban 'ip firewall address-list remove [find address=<ip> list=Fail2Ban]'
You can use that if you have another vms on your home network that you have NATed port - for example - mail, http, https etc.
With that you have a centralized firewall system
Last edited by Paco on Sat Aug 06, 2022 2:27 am, edited 1 time in total.
 
User avatar
Paco
just joined
Posts: 16
Joined: Mon Dec 22, 2014 10:50 pm
Location: Sofia, Bulgaria

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 1:57 am

My point was, if I understand correctly that server sees all connections with 10.10.10.1 as source, it can be because of misconfigured srcnat.
Oh sorry!
I setup NAT like this:

Chain: dstnat
Dst address: XXX.XXX.XXX.XXX (My public IP)
Protocol: 17 (udp)
Dst port: 5060
Action: dst-nat
To-addressess: 10.10.10.111 (my server IP)
To Port: 5060

Any suggestion?
Remove your rule and try this:
/ip firewall nat add action=dst-nat chain=dstnat comment="Allow Public SIP Access to port 5060/udp" disabled=no dst-port=5060 in-interface-list=WAN protocol=udp src-address-list=!Fail2Ban to-addresses=10.10.10.111 to-ports=5060
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 8:52 am

I don't know much about SIP and what exactly its ALG does, but it seems weird that it would change source addresses of all clients. Could it be that you just have some too broad srcnat rule doing that?
I don't have SIP ALG enabled. Also, I don't think it is related to SIP ALG.
You are correct, ALG seems to rewrite DESTINATION IP in the actual SIP-packets

https://www.nextiva.com/blog/disable-sip-alg.html

So if all these packets appear to come from the IP of your Mikrotik 10.10.10.1 there seems to be some (SOURCE) NAT somewhere in the chain on the wrong side.
The packets arriving at the PBX server should have an untouched "Mobile IP" as SOURCE and not 10.10.10.1 for some reason.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 9:49 am

I don't know much about SIP and what exactly its ALG does
For the purpose of NAT handling, it is enough to know that SIP is similar to FTP in terms that one protocol (SIP itself) establishes a "control session" used to exchange information about sockets to be used by another protocol (RTP) for the actual delivery of the payload (in this case, the media streams).

The SIP ALG is yet another "helper" in the firewall, which extracts the information about LAN side socket(s) provided by the actual endpoint host in the incoming SIP packet, prepares a pinhole (tracked connection) to that socket from an available socket on the WAN side, and replaces the socket information in the SIP packet accordingly before sending it out. Since the functionality is triggered by src-nat (masquerade) operation, its scope of work is limited - it only works fine for simple calls and for individual phones on LAN side registered to a PBX or public exchange at the WAN side. And it cannot work at all if SIP messages are encrypted.

So far I haven't seen a SIP ALG as a part of a firewall that would be 100% trouble-free, and for the scenario above (not the OP's one) where they mostly work, provisions at the PBX or public exchange side work equally good. Specialized devices called SBCs (Session Border, not Single Board, Controllers) are a different matter, these are developed by SIP specialists and do far more than ALGs, but they also require far more configuration than just "enable/disable".

You also can make a custom Address List in mikrotik - for example called Fail2ban and modify actionban to add that IP addresses in that access list.
Make a firewall input rule -> if source address list is Fail2ban - Action DROP.

Here my action ban on few debian/almalinux machines:
A nice approach. I didn't need it myself so far, but I was always thinking of populating the address list by means of sending a a DNS query for something like totallyunlikelyname.nonsensetld to the address to be banned rather than using SSH to issue the /ip firewall address-list add command, and intercepting that DNS query using layer7-protocol rules at the router. The purpose of the whole exercise is to lower the load of the server running fail2ban, and calculating session keys for SSH is definitely a heavier operation than sending a DNS query.
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 10:44 am

Dstnat is fine, but I meant srcnat, what rules you have there? Isn't it "popular" but wrong:
/ip firewall nat
add chain=srcnat action=masquerade
that applies to all connections, regardless of direction?
This is exactly what I'm using. Chain = srcnat and action is masquerade. Do I need to change anything here?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 10:49 am

the expected out interface (one WAN) and the expected src Private IPs pool
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 10:54 am

Whitelist your known ip addresses in fial2ban in ignoreip section.

You also can make a custom Address List in mikrotik - for example called Fail2ban and modify actionban to add that IP addresses in that access list.
Make a firewall input rule -> if source address list is Fail2ban - Action DROP.

Sir, I really appreciate your valuable time. The scenario of my case is, that I've lots of mobile app users with mobile data. So it's impossible for me to define/whitelist known IP addresses. Yes, I can whitelist the office IPs but there's nothing I can do for mobile users. Also, my router thinks all incoming requests coming from "10.10.10.1" (my gateway IP) instead of their actual IP. So, I need to fix that first. Otherwise, fail2ban will not able to differentiate the attacker's IP address.
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 10:56 am

the expected out interface (one WAN) and the expected src Private IPs pool
I'm trying this right away.
Out interface = My ISP's PPoE interface
Src = 10.10.10.0/24


is that correct?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 10:58 am

the expected out interface (one WAN) and the expected src Private IPs pool
I'm trying this right away.
Out interface = My ISP's PPoE interface
Src = 10.10.10.0/24

is that correct?
That should be OK. Give it a try.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 11:04 am

The SIM are private or from your society?

Because the operators have a range of IP for sure, just put the ASxxxx IPs pools on whitelist and you prevent at least 98% of "attacks"....
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 11:04 am



I don't have SIP ALG enabled. Also, I don't think it is related to SIP ALG.
You are correct, ALG seems to rewrite DESTINATION IP in the actual SIP-packets

https://www.nextiva.com/blog/disable-sip-alg.html

So if all these packets appear to come from the IP of your Mikrotik 10.10.10.1 there seems to be some (SOURCE) NAT somewhere in the chain on the wrong side.
The packets arriving at the PBX server should have an untouched "Mobile IP" as SOURCE and not 10.10.10.1 for some reason.
I got your point.! I know SIP ALG should be disabled in this case. But the funny thing in my scenario is, that when I disable SIP ALG, remote extensions lost their audio. When I turn on SIP ALG, everything starts working fine.


SO CURRENTLY I'VE SIP ALG TURNED ON!
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 11:16 am



I'm trying this right away.
Out interface = My ISP's PPoE interface
Src = 10.10.10.0/24

is that correct?
That should be OK. Give it a try.

Thank You so much!!! <3 Now it's showing their untouched IP. Now my PBX firewall should work. I'll let you know the results.
[2022-08-06 08:12:16] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:128@10.10.10.111>' failed for '180.149.231.4:58094' (callid: e5f4a810950434e4f7a) - Failed to authenticate
[2022-08-06 08:12:19] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:172@10.10.10.111>' failed for '185.152.64.171:62055' (callid: e5f4a75286924e4f7a) - Failed to authenticate
[2022-08-06 08:12:19] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:172@10.10.10.111>' failed for '185.152.64.171:62055' (callid: e5f4a75286924e4f7a) - Failed to authenticate
[2022-08-06 08:12:22] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:305@10.10.10.111>' failed for '185.242.6.54:59914' (callid: e5f4a586381369e4f7a) - Failed to authenticate
[2022-08-06 08:12:23] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:305@10.10.10.111>' failed for '185.242.6.54:59914' (callid: e5f4a586381369e4f7a) - Failed to authenticate
[2022-08-06 08:12:27] NOTICE[30690]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:209@10.10.10.111>' failed for '195.158.249.37:52793' (callid: e5f4a74383589e4f7a) - Failed to authenticate
 
tahmidul
just joined
Topic Author
Posts: 17
Joined: Thu Aug 04, 2022 9:12 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 12:29 pm

The SIM are private or from your society?

Because the operators have a range of IP for sure, just put the ASxxxx IPs pools on whitelist and you prevent at least 98% of "attacks"....

The operator's name is GrameenPhone. Their IP pool: https://ipinfo.io/AS24389
There are four mobile operators here. Also, whitelisting all mobile data IPs doesn't look safe to me at all..!
Can I set up any filter to the Mikrotik firewall to restrict/limit requests per IP?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 1:03 pm

Restricting it down to addresses of one operator will surely reduce the flow of fraudulent registration attempts as compared to keeping it open for the whole internet, and I don't think the suggestion was to use such a restriction instead of fail2ban.

You can set up a restriction that depends on rate, look at dst-limit at https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter .
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 1:30 pm

The SIM are private or from your society?

Because the operators have a range of IP for sure, just put the ASxxxx IPs pools on whitelist and you prevent at least 98% of "attacks"....

The operator's name is GrameenPhone. Their IP pool: https://ipinfo.io/AS24389
There are four mobile operators here. Also, whitelisting all mobile data IPs doesn't look safe to me at all..!
Can I set up any filter to the Mikrotik firewall to restrict/limit requests per IP?
The whitelisting on Mikrotik would be only your "first layer" of defence. You still have the SIP-authentication!
That ASN 24389 "only" has 20K IP's so you can problably already have some benefit to whitelist these blocks at Mikrotik-level. You 15 employees with their mobile phones should all be coming from within these ranges I guess.
You can then observe howmuch % is "catched" and decide if you want to keep it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 2:31 pm

I don't think the suggestion was to use such a restriction instead of fail2ban.
Exactly, block already everything, except the mobile operator pools,
and after that, use fail2ban

The ban can't be permanent, because one banned IP can be assigned later to one wanted phone.


But I prefer consider do a VPN, and after use VoIP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 3:27 pm

Hi Rextended,
Do you mean user VPN into the Home/Office router and then access the VOIP and if so how is this done.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 3:43 pm

really ask me??? :shock: :shock: :shock:


"Just" make a VPN between the mobile phone and the router and then launch the SIP / VoIP program to connect to the internal server.

Or did I miss something that I have not considered ???? :-? :-? :-?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 3:57 pm

Well I have limited experience,
For example I have a VOIP modem which I connect via the internet and then a cord to the patch panel.
All the wired phones (landline) that have a connection on the patch panel to the phone block get live phone.
I dont have any sip phones...........

So tell me how do I vpn into the router and then use my VOIP connection ????
Which phone allows me to vpn to the router and place a call ????
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 4:24 pm

I have at office a Yeastar device, and I use linkus app/service than use a intermediate server from Yeastar,

but at home I do not have any, too much already the mobile phone ;) :lol:
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: How to prevent random SIP attacks on default port 5060

Sat Aug 06, 2022 4:47 pm

@tahmidul
I provide a VoIP Blacklist service that has successfully prevented SIP Attacks in 99% of cases ... there is a 10 day free trial period available ... see my sig.

My current voipTIK blacklist list contains 39K+ IP addresses ...

in your case you will need to whitelist all your core servers for all ports, hosted PBX and Interconnection partners to specific required ports before implementing the drop rule for the voipTIK blacklist.

Who is online

Users browsing this forum: andrep, Bing [Bot], kolopeter, kub1x, menyarito, smirgo and 90 guests