HOME

SIP:PROVIDER CE

COMMERCIAL PRODUCTS

Search

ABOUT

NEWS & BLOG

Sipwise is looking for Business Partners in Africa

sip:provider mr3.6.1 Released

CATEGORIES

Securing your NGCP against SIP attacks

Announcements

by DANIEL GROTTI on NOVEMBER 9, 2014 NO COMMENTS in TECHNICAL

News & Blog

General

Open Positions

Sipwise Sip:Provider mr3.5.1 allows you to protect your VoIP system

Technical

against SIP attacks, in particular Denial of Service and brute-force attacks.

Uncategorized

Lets go through each of those attacks and lets see how to configure your
system in order to face such situations and react against them.
We are going see, as well, how increase your security and how its easy to
integrate fail2ban with your NGCP system, in order to ban attackers IPs.

ARTICLES
October 2016

Denial of Service

August 2016
July 2016
June 2016

As soon as you have packets arriving on your NGCP server, it will require

May 2016

a bit of time of your CPU. Denial of Service attacks are aimed to break

April 2016

down your system by sending floods of SIP messages in a very short

period of time and keep your system busy to handle such huge amout of
requests.

March 2016
February 2016
January 2016
November 2015

NGCP allow you to block such kind of attack quite easily, by configuring

October 2015

the following section in your /etc/ngcp-config/config.yml:

September 2015
August 2015
July 2015

security:

June 2015

dos_ban_enable: 'yes'

April 2015

dos_ban_time: 3600

March 2015

dos_reqs_density_per_unit: 50

February 2015

dos_sampling_time_unit: 2

January 2015
December 2014
November 2014

Basically, as soon as NGCP receives more than 50 messages from the

same IP in a time window of 2 seconds, that IP will be block for 3600 sec,
and you will see in the the kamailio-lb.log a line saying:

October 2014
September 2014
August 2014
July 2014

June 2014

Nov 9 00:11:53 sp1 lb[41958]: WARNING: <script>: IP

April 2014
March 2014

'1.2.3.4' is blocked and banned - R=<null> ID=304153-

November 2013

3624477113-19168@tedadg.testlab.local

September 2013
August 2013
June 2013

The banned IP will be stored in kamailio memory, you can check the list via

March 2013

web interface or via the following command:

November 2012
October 2012

# ngcp-kamctl lb fifo sht_dump ipban

September 2012
August 2012
June 2012

Bruteforcing SIP credentials

This is a very common attack you can easily detect checking your

May 2012
April 2012
March 2012
February 2012

/var/log/ngcp/kamailio-proxy.log. You will see INVITE/REGISTER

December 2011

messages coming in with strange username. Attackers is trying to

May 2011

spoof/guess subscribers credentials, which allow them to call out.

April 2011

The very first protection against these attacks is : use STRONG

March 2011

passwords. Always.

January 2011

Nevertheless NGCP allow you to detect and block such attacks quite

December 2010

easily, by configuring the following /etc/ngcp-config/config.yml section :

failed_auth_attempts: 3
failed_auth_ban_enable: 'yes'

CALENDAR

failed_auth_ban_time: 3600

NOVEMBER 2016
M

You may increase the number of failed attempt if you want (in same cases

its better to be safed, some users can be banned accidentally because

10

11

12

13

they are not writing the right password) and adjust the ban time. If a user

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

try to authenticate an INVITE (or REGISTER) for example and it fails more
then 3 times, the user@domain (not the IP as for Denial of Service
attack) will be block for 3600 seconds.
In this case you will see in your kamailio-lb.log the following lines:

Oct

Nov 9 13:31:56 sp1 lb[41952]: WARNING: <script>:

Consecutive Authentication Failure for

META

'dgrotti@mydomain.com' UA='Linphone' IP='192.168.0.3' -

Log in

R=<null> ID=313793-3624525116-589163@testlab.local

Entries (RSS)

Both the banned IPs and banned users are shown in the Admin web
interface, you can check them by accessing the Security Bans section in
the main menu.
You can check the banned user as well by retrieving the same info directly

from kamailio memory, using the following commands:

# ngcp-kamctl lb fifo sht_dump auth

Additionally you can check the UA value from the log line, and decide to
add that User Agent to your User Agent blacklist (see Blocking User
Agent paragraph).

Increasing your security

Lets see now how to increase your NGCP security by adding an additional
security check and how to integrate that with Fail2ban.
Malicious attacker usually use well-know tools (e.g. sipvicious) and well
known User Agents. An additional level of security would be blocking IPs
based on the SIP User Agent, lets see the step to implement that into you
NGCP and how to integrate this with fail2ban.

Blocking User Agent

In order to mitigate attack and malicious users based on SIP UA you need
to patch your kamailio configuration. If you want to block his IP you have to
install and configure fail2ban.

Lets start to create our customtt file:

cp /etc/ngcpconfig/templates/etc/kamailio/lb/kamailio.tt2
/etc/ngcpconfig/templates/etc/kamailio/lb/kamailio.customtt.tt2

open you /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.customtt.tt2

file and add the following lines:

route
{
...
if(!sanity_check(1511, 7))
{
xlog(L_WARN, Malformed SIP message detected [% logreq_init %]\n);
exit;
}

## filtering by UA : blacklist
if( is_method(REGISTER|INVITE) && ($ua =~ friendly-scanner || $ua
=~ sipvicious || $ua =~ ^sipcli.+) )
{
xlog(L_WARN, Request rejected, malicious UA=$ua from IP=$si
[% logreq_init -%]\n);
exit;
}
after that run ngcpcfg apply.
Now NGCP will discard all the requests coming from those malicious UAs.
But you want more! You want to block their IPs using NGCP firewall. To do
that lets see how to install and configure fail2ban to work with your NGCP.

Integrating fail2ban with NGCP

Just install the debian package, configuration directory will be in
/etc/fail2ban:
# apt-get update
# apt-get install fail2ban
We need to modify the following file /etc/fail2ban/jail.conf. We can add IP
that the system should ignore, like 127.0.0.1 and other IPs (if you have
peerings for example):
##General section
ignoreip = 127.0.0.1 SOME OTHER NGCP IPS

Also we need to add to the bottom of the file the [kamailio-iptable] section:

[kamailio-iptables]
enabled = true
filter = kamailio
action = iptables-allports[name=KAMAILIO, protocol=all]
logpath = /var/log/ngcp/kamailio-lb.log
maxretry = 1
bantime = 3600

Then we need to create the filter, just creating the file

/etc/fail2ban/filter.d/kamailio.conf :

[Definition]

# filter for kamailio messages

failregex = Request rejected, malicious UA='.*' from
IP='<HOST>'
In this way as soon as fail2ban will fetch that line in kamailio-lb.log, it will
put the IP in iptables and block it for 1 hour.
You may decide to ban IP instead of user in case of failed authentication.
This is quite easy, just change your kamailio.conf filter into:
[Definition]
# filter for kamailio messages
failregex = Request rejected, malicious UA='.*' from
IP='<HOST>
Consecutive Authentication Failure for '.*'
UA='.*' IP='<HOST>'
Also you should adjust you config.yml configuration, in order to ban the
user just few seconds:
failed_auth_attempts: 3
failed_auth_ban_enable: 'yes'
failed_auth_ban_time: 1
then run:
# ngcpcfp-apply
# /etc/init.d/fail2ban restart
In this way, after 3 attempts, the IP and not the user will be banned for
3600 seconds by fail2ban.
To apply the changes to fail2ban just restart the daemon:
# /etc/init.d/fail2ban restart
You can check whats going on in /var/log/fail2ban.log (in this example ban
time was 10sec):
2014-11-06 10:01:45,203 fail2ban.server : INFO Changed
logging target to /var/log/fail2ban.log for Fail2ban
v0.8.6
2014-11-06 10:01:45,206 fail2ban.jail : INFO Creating
new jail 'ssh'
2014-11-06 10:01:45,206 fail2ban.jail : INFO Jail 'ssh'
uses poller
2014-11-06 10:01:45,238 fail2ban.filter : INFO Added
logfile = /var/log/auth.log

2014-11-06 10:01:45,240 fail2ban.filter : INFO Set

maxRetry = 6
2014-11-06 10:01:45,242 fail2ban.filter : INFO Set
findtime = 600
2014-11-06 10:01:45,244 fail2ban.actions: INFO Set
banTime = 600
2014-11-06 10:01:45,333 fail2ban.jail : INFO Creating
new jail 'kamailio-iptables'
2014-11-06 10:01:45,333 fail2ban.jail : INFO Jail
'kamailio-iptables' uses poller
2014-11-06 10:01:45,338 fail2ban.filter : INFO Added
logfile = /var/log/ngcp/kamailio-lb.log
2014-11-06 10:01:45,340 fail2ban.filter : INFO Set
maxRetry = 1
2014-11-06 10:01:45,342 fail2ban.filter : INFO Set
findtime = 600
2014-11-06 10:01:45,343 fail2ban.actions: INFO Set
banTime = 10
2014-11-06 10:01:45,370 fail2ban.jail : INFO Jail 'ssh'
started
2014-11-06 10:01:45,406 fail2ban.jail : INFO Jail
'kamailio-iptables' started
2014-11-06 10:01:46,489 fail2ban.actions: WARNING
[kamailio-iptables] Ban 1.1.2.12
2014-11-06 10:01:56,562 fail2ban.actions: WARNING
[kamailio-iptables] Unban 1.1.2.12
We are working to include fail2ban in the next upcoming NGCP version.
Tagged with: ban ddos dos fail2ban ngcp security

If you enjoyed this article, please consider sharing it!

Profile
Sign in with Twitter Sign in with Facebook
or
Name

Email

Not published

Website

Comment

Post It

"No public Twitter messages." sipwise

Imprint

2013 Sipwise GmbH