Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - bob

Pages: [1]
1
Other Yate server issues / Re: Yate Server Security
« on: September 22, 2013, 03:59:03 AM »
I would not advise you to spend a lot of time looking at the log after freindyscanner. I assume that it is a regular enumeration areas or usernames and passwords.
And it is not discovery for people familiar with voip.
Decisions, as always, a great many.
I can little open my solution to the problem.

1. If your server is on the local network (behind NAT), then in addition to port forwarding on the router, you need to include rules limiting the number of connection attempts on port used for SIP.

2. On the server to activate iptables. Even if you have windows, I recommend SIP server to run on linux in virtual environment. And all the reasons mentioned below applies to Linux.
The list of rules goes like this:
#cat /etc/iptables/rules
Code: [Select]
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FORVOIP - [0:0]
# input rules
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
...
-A INPUT -p udp -m udp --dport 5060 -j FORVOIP
-A INPUT -p udp -j ACCEPT
-A INPUT -j LOG --log-prefix "fw-drop="
# FORVOIP rules
-A FORVOIP -m string --string "friendly-scanner" --algo bm --to 65535 -j DROP
-A FORVOIP -m string --string "sipvicious" --algo bm --to 65535 -j DROP
-A FORVOIP -m string --string "sipsscuser" --algo bm --to 65535 -j DROP
-A FORVOIP -m string --string "sipcli" --algo bm --to 65535 -j DROP
-A FORVOIP -j RETURN
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -p tcp -m tcp --sport 1720 -j DSCP --set-dscp 0x0a
-A OUTPUT -p tcp -m tcp --dport 1720 -j DSCP --set-dscp 0x0a
-A OUTPUT -p udp -m udp --sport 5060:5070 -j DSCP --set-dscp 0x0a
-A OUTPUT -p udp -m udp --sport 9000:16999 -j DSCP --set-dscp 0x2e
COMMIT

3. install fail2ban and create appropriate rules.
#cat /etc/fail2ban/jail.conf
Code: [Select]
[yate-iptables]
enabled  = true
filter   = yate
action   = iptables[name=SIP, port=sip, protocol=udp]
logpath  = /var/log/yate/yate.cdr
findtime  = 60
maxretry = 10
bantime  = 72000000

#cat /etc/fail12ban/filter.d/yate.conf
Code: [Select]
[Definition]
failregex= .*\t.*\t.*\t<HOST>:.*rejected

It is assumed that the module is included in Yate cdrfile:
#cat /etc/yate/cdrfile.conf
Code: [Select]
[general]
file=/var/log/yate/yate.cdr
tabs=true

4. Enable self-protection yate - banbrutes.
#cat /etc/yate/extmodule.conf
Code: [Select]
[scripts]
banbrutes.php=

Configured directly in the body of the script
#cat /usr/share/yate/scripts/banbrutes.php
Code: [Select]
$ban_failures = 4;
$clear_gray = 5;
$clear_black = 3600;
$cmd_ban = "iptables -I FORVOIP -s \$addr -j DROP";
$cmd_unban = "iptables -D FORVOIP -s \$addr -j DROP";

5. Probably the most reliable way, but I have not tried it. This change port 5060 to another.

And another recommendation here.
Do not know if there are vulnerabilities Yate SIP stack, but 5 months uptime of my yate,  hoping not.
Without mention of Yate here , unlike * and its clones also gives  some peace of mind :-)



Sorry my english ,
Best regard



PS:
The forum is really very few answers except the developers.
And, IMHO, this is because the user community of Yate does not already exist as such.
There is a small community of developers who are interesting bug reports.
And all the others who have mastered the Yate, use it for their own commercial projects and conduct educational program, certainly not in their interest.
And it is very sad.

Pages: [1]