Protect your Asterisk PBX server from Black listed IP address

Protect your Asterisk PBX server from Black listed IP address

VoIPBL is a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX’s.

For more details http://www.voipbl.org/

For Asterisk PBX  you  need to install Fail2ban. This is the only required dependency needed to run VoIP Blacklist on your server.

Step 1 You must install Fail2ban on your server. You can refer to the Fail2ban website for detailed instructions and advanced configurations.

Step 2 Create the /etc/cron.d/voipbl file to update rules each 4 hours

# update blacklist each 4 hours
0 */4 * * * * root /usr/local/bin/voipbl.sh

 

Step 3 If you are using iptables then save the content in /usr/local/bin/voipbl.sh to automatically block offending IP Addresses, Subnet or Netblock. You must also do a chmod 700 on this file.

#!/bin/bash

# Check if chain exists and create one if required
if [ `iptables -L | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then
  /sbin/iptables -N BLACKLIST-INPUT
  /sbin/iptables -I INPUT 1 -j BLACKLIST-INPUT
fi
	
# Empty the chain
/sbin/iptables -F BLACKLIST-INPUT
wget -qO - http://www.voipbl.org/update/ |\
  awk '{print "if [ ! -z \""$1"\" -a \""$1"\" !=  \"#\" ]; then /sbin/iptables -A BLACKLIST-INPUT -s \""$1"\" -j DROP;fi;"}' | sh

Alternatively, if your system support ipset, you can use the following script: (thanks to Graham Barnett for his contribution)

#!/bin/bash

URL="http://www.voipbl.org/update/"

set -e
echo "Downloading rules from VoIP Blacklist"
wget -qO - $URL -O /tmp/voipbl.txt

echo "Loading rules..."

# Check if rule set exists and create one if required
if ! $(/usr/sbin/ipset list voipbl > /dev/null 2>&1); then
  ipset -N voipbl iphash
fi
  
#Check if rule in iptables
if ! $(/sbin/iptables -w --check INPUT -m set --match-set voipbl src -j DROP > /dev/null 2>&1); then
 /sbin/iptables -I INPUT 1 -m set --match-set voipbl src -j DROP
fi
 
# Create temporary chain
ipset destroy voipbl_temp > /dev/null 2>&1 || true
ipset -N voipbl_temp iphash
 
cat /tmp/voipbl.txt |\
  awk '{ print "if [ ! -z \""$1"\" -a \""$1"\"  != \"#\" ]; then /usr/sbin/ipset  -A voipbl_temp \""$1"\" ;fi;"}' | sh
 
ipset swap voipbl_temp voipbl
ipset destroy voipbl_temp || true
 
echo "Done! Rules loaded"

 

Step 4 Add a new Fail2ban Jail on /etc/fail2ban/jail.conf

[asterisk-iptables]
action   = iptables-allports[name=ASTERISK, protocol=all]
           voipbl[serial=XXXXXXXXXX]

 

Step 5 Now define the VoIP Blacklist actions for Fail2ban on /etc/fail2ban/action.d/voipbl.conf.

# Description: Configuration for Fail2Ban

[Definition]

actionban   = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>"
actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>"

[Init]

getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \
              --read-timeout=60 --retry-connrefused --output-document=- \
	      --user-agent=Fail2Ban

url = http://www.voipbl.org


 

Step 6 Now you can restart the Fail2ban daemon to get protected agains VoIP Fraud!

 

Your email address will not be published. Required fields are marked *