Protect your Asterisk PBX server from Black listed IP address

Protect your Asterisk PBX server from Black listed IP address

VoIPBL is a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX’s.

For more details

For Asterisk PBX  you  need to install Fail2ban. This is the only required dependency needed to run VoIP Blacklist on your server.

Step 1 You must install Fail2ban on your server. You can refer to the Fail2ban website for detailed instructions and advanced configurations.

Step 2 Create the /etc/cron.d/voipbl file to update rules each 4 hours

# update blacklist each 4 hours
0 */4 * * * * root /usr/local/bin/


Step 3 If you are using iptables then save the content in /usr/local/bin/ to automatically block offending IP Addresses, Subnet or Netblock. You must also do a chmod 700 on this file.


# Check if chain exists and create one if required
if [ `iptables -L | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then
  /sbin/iptables -N BLACKLIST-INPUT
  /sbin/iptables -I INPUT 1 -j BLACKLIST-INPUT
# Empty the chain
/sbin/iptables -F BLACKLIST-INPUT
wget -qO - |\
  awk '{print "if [ ! -z \""$1"\" -a \""$1"\" !=  \"#\" ]; then /sbin/iptables -A BLACKLIST-INPUT -s \""$1"\" -j DROP;fi;"}' | sh

Alternatively, if your system support ipset, you can use the following script: (thanks to Graham Barnett for his contribution)



set -e
echo "Downloading rules from VoIP Blacklist"
wget -qO - $URL -O /tmp/voipbl.txt

echo "Loading rules..."

# Check if rule set exists and create one if required
if ! $(/usr/sbin/ipset list voipbl > /dev/null 2>&1); then
  ipset -N voipbl iphash
#Check if rule in iptables
if ! $(/sbin/iptables -w --check INPUT -m set --match-set voipbl src -j DROP > /dev/null 2>&1); then
 /sbin/iptables -I INPUT 1 -m set --match-set voipbl src -j DROP
# Create temporary chain
ipset destroy voipbl_temp > /dev/null 2>&1 || true
ipset -N voipbl_temp iphash
cat /tmp/voipbl.txt |\
  awk '{ print "if [ ! -z \""$1"\" -a \""$1"\"  != \"#\" ]; then /usr/sbin/ipset  -A voipbl_temp \""$1"\" ;fi;"}' | sh
ipset swap voipbl_temp voipbl
ipset destroy voipbl_temp || true
echo "Done! Rules loaded"


Step 4 Add a new Fail2ban Jail on /etc/fail2ban/jail.conf

action   = iptables-allports[name=ASTERISK, protocol=all]


Step 5 Now define the VoIP Blacklist actions for Fail2ban on /etc/fail2ban/action.d/voipbl.conf.

# Description: Configuration for Fail2Ban


actionban   = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>"
actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>"


getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \
              --read-timeout=60 --retry-connrefused --output-document=- \

url =


Step 6 Now you can restart the Fail2ban daemon to get protected agains VoIP Fraud!


Your email address will not be published. Required fields are marked *