At some point, after running your PBX for a while, you will get some exposition. If you go to your PBX console and watch your logs, you may notice that sometimes someone tries to register or to send an INVITE signal. These tries are usually done by scripts looking for misconfigured SIP servers.
The IPTables Script
After looking on the Internet, I got a little list of User-Agent identifiers for those scripts. So, I wrote the following script in order to help everyone to create the rules.
Please note that the User-Agent script is very easy to change. Most seasoned hackers will be able to change it, however, the newbies will not. This approach only makes it more difficult. By default, the script will create rules for the ports 5060 and 5080, both UDP and TCP.
Taking the Security further
If you are asking, what would be the root fix? I believe you will need a SIP proxy, maybe Kamailio or a FreeSWITCH with very basic configurations. The idea is that this element may be able to analyze the SIP payload and depending on some rules, it takes the call to block it or let it pass through. Some of these criteria parameters could be:
- INVITE, From, To, and Contact must use a fully qualified domain name instead of IP's.
- the o and c header in the DSP payload should have an IP instead of pointing to nowhere (0.0.0.0)
I am pretty sure there are more criteria. When the time comes, I will write about that.
Good luck!blog comments powered by Disqus