Author Topic: Yate Server Security  (Read 8038 times)

CauselessEffect

  • Newbie
  • *
  • Posts: 13
    • View Profile
Yate Server Security
« on: September 21, 2013, 07:05:25 AM »
I'd like to address something that I haven't seen any posts about yet on here, and that's server security.  Unfortunately, I'm still very much of a newbie when it comes to Yate and SIP servers in general, so I don't have any good answers to my question.  I would like to know if anyone out there has any experience using Yate in a production environment or has learned to secure their server beyond the default configuration.

I recently followed this guide on using Yate to communicate with Google Voice (http://docs.yate.ro/wiki/Connecting_To_Google_Voice), and that remains the only changes I have made beyond the default configuration.  While attempting to debug some communication issues, I had Yate running via command line with "yate-console.exe -Dt -l log.txt".  Within 5 hours of starting the server, my log file had grown to 2GB in size.  I quickly stopped the server and looked in the config file to find countless call entries with a user-agent of a "friendly-scanner".  Searching this on Google turned up a number of pages about SIP bots.  Due to the sheer number of entries from this bot, it would take me a very long time to figure out what exactly they were trying to do, but clearly I now have reason to worry about using my server.

What concerns me is that I am operating the latest version of Yate with the default configuration, changing ONLY what was recommended to me on Yate's documentation for using Google Voice.  Fortunately, I was able to detect this exploit due to another user on the forum's help in suggesting file logging.  I worry there are countless others using Yate that are unaware of what's happening on their machines.

In any case, I am posting here in hopes someone has experience securing Yate server, perhaps for production purposes.  The SIP user I had configured was using a strong, 8-character password with a non-default user name.  I will be changing the password to a much longer, more secure password, but I am still hesitant to leave Yate running for very long.  I do not host any public services from my IP, so I am genuinely surprised I was discovered so quickly.

If anybody has any experience with this or general security tips for SIP, please let me know!

bob

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Yate Server Security
« Reply #1 on: September 22, 2013, 03:59:03 AM »
I would not advise you to spend a lot of time looking at the log after freindyscanner. I assume that it is a regular enumeration areas or usernames and passwords.
And it is not discovery for people familiar with voip.
Decisions, as always, a great many.
I can little open my solution to the problem.

1. If your server is on the local network (behind NAT), then in addition to port forwarding on the router, you need to include rules limiting the number of connection attempts on port used for SIP.

2. On the server to activate iptables. Even if you have windows, I recommend SIP server to run on linux in virtual environment. And all the reasons mentioned below applies to Linux.
The list of rules goes like this:
#cat /etc/iptables/rules
Code: [Select]
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FORVOIP - [0:0]
# input rules
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
...
-A INPUT -p udp -m udp --dport 5060 -j FORVOIP
-A INPUT -p udp -j ACCEPT
-A INPUT -j LOG --log-prefix "fw-drop="
# FORVOIP rules
-A FORVOIP -m string --string "friendly-scanner" --algo bm --to 65535 -j DROP
-A FORVOIP -m string --string "sipvicious" --algo bm --to 65535 -j DROP
-A FORVOIP -m string --string "sipsscuser" --algo bm --to 65535 -j DROP
-A FORVOIP -m string --string "sipcli" --algo bm --to 65535 -j DROP
-A FORVOIP -j RETURN
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -p tcp -m tcp --sport 1720 -j DSCP --set-dscp 0x0a
-A OUTPUT -p tcp -m tcp --dport 1720 -j DSCP --set-dscp 0x0a
-A OUTPUT -p udp -m udp --sport 5060:5070 -j DSCP --set-dscp 0x0a
-A OUTPUT -p udp -m udp --sport 9000:16999 -j DSCP --set-dscp 0x2e
COMMIT

3. install fail2ban and create appropriate rules.
#cat /etc/fail2ban/jail.conf
Code: [Select]
[yate-iptables]
enabled  = true
filter   = yate
action   = iptables[name=SIP, port=sip, protocol=udp]
logpath  = /var/log/yate/yate.cdr
findtime  = 60
maxretry = 10
bantime  = 72000000

#cat /etc/fail12ban/filter.d/yate.conf
Code: [Select]
[Definition]
failregex= .*\t.*\t.*\t<HOST>:.*rejected

It is assumed that the module is included in Yate cdrfile:
#cat /etc/yate/cdrfile.conf
Code: [Select]
[general]
file=/var/log/yate/yate.cdr
tabs=true

4. Enable self-protection yate - banbrutes.
#cat /etc/yate/extmodule.conf
Code: [Select]
[scripts]
banbrutes.php=

Configured directly in the body of the script
#cat /usr/share/yate/scripts/banbrutes.php
Code: [Select]
$ban_failures = 4;
$clear_gray = 5;
$clear_black = 3600;
$cmd_ban = "iptables -I FORVOIP -s \$addr -j DROP";
$cmd_unban = "iptables -D FORVOIP -s \$addr -j DROP";

5. Probably the most reliable way, but I have not tried it. This change port 5060 to another.

And another recommendation here.
Do not know if there are vulnerabilities Yate SIP stack, but 5 months uptime of my yate,  hoping not.
Without mention of Yate here , unlike * and its clones also gives  some peace of mind :-)



Sorry my english ,
Best regard



PS:
The forum is really very few answers except the developers.
And, IMHO, this is because the user community of Yate does not already exist as such.
There is a small community of developers who are interesting bug reports.
And all the others who have mastered the Yate, use it for their own commercial projects and conduct educational program, certainly not in their interest.
And it is very sad.
« Last Edit: September 23, 2013, 10:34:03 AM by bob »

CauselessEffect

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: Yate Server Security
« Reply #2 on: September 24, 2013, 01:12:05 PM »
Thank you for reply!  These are all good tips to look into implementing.  So far, the two primary changes I have made was significantly improving my SIP password strength and changing to a non-default port number.  I will be carefully watching my log file to see if anyone is able to break in again.  I would also like to implement the "fail2ban" script to help block repeated attempts at cracking my password(s).  Unfortunately, my use of Yate will require accepting connections from dynamic IPs, so the IP table/white-list option may not work for me, but a good suggestion nonetheless.

I will reply back if I encounter any additional server "attacks".  Hopefully the information you posted will help other Yate users in the future.  If anyone else on these forums has any additional suggestions, I would be happy to hear them!

Thanks for spending the time to post all that helpful information, Bob.  These forums could use more users like you!

CauselessEffect

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: Yate Server Security
« Reply #3 on: October 02, 2013, 01:32:20 PM »
I just wanted to follow up and say that I have now let Yate run for a full week and the log file is a reasonable size and does not show signs of any additional "break ins".  As I previously mentioned, the two changes I made were moving to a non-default port and strengthening my SIP password.  I am also now using a unique, non-default SIP username.

If I run into any other security issues, I will post them here, otherwise, thank you for your suggestions, Bob!

hecatae

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Yate Server Security
« Reply #4 on: December 15, 2014, 03:24:42 PM »
Thank you for the above, I was looking for something like fail2ban for my hand compiled freesentral install

jamie

  • Newbie
  • *
  • Posts: 38
    • View Profile
Re: Yate Server Security
« Reply #5 on: January 21, 2015, 07:08:12 PM »

If you're using a windows platform you wont have access to ip tables, but can i suggest a relatively cheap bit of software from http://www.beethink.com/ that do the same job?  ( There maybe others out there, but this was best i found at the time )

it has a command line interface, so you can modify banbrutes.php to push unwanted ip's to it and bar / white list them instantly.