SIPWISE CE - NEWS

back to all Sipwise CE - News

Securing your NGCP against SIP attacks

Sipwise Sip:Provider mr3.5.1 allows you to protect your VoIP system against SIP attacks, in particular Denial of Service and brute-force attacks.
Let’s go through each of those attacks and let´s see how to configure your system in order to face such situations and react against them.
We are going see, as well, how increase your security and how it´s easy to integrate fail2ban with your NGCP system, in order to ban attackers IPs.

Denial of Service

As soon as you have packets arriving on your NGCP server, it will require a bit of time of your CPU. Denial of Service attacks are aimed to break down your system by sending floods of SIP messages in a very short period of time and keep your system busy to handle such huge amout of requests.
NGCP allow you to block such kind of attack quite easily, by configuring the following section in your /etc/ngcp-config/config.yml:

 

security:
   dos_ban_enable: 'yes'
   dos_ban_time: 3600
   dos_reqs_density_per_unit: 50
   dos_sampling_time_unit: 2

 

Basically, as soon as NGCP receives more than 50 messages from the same IP in a time window of 2 seconds, that IP will be block for 3600 sec, and you will see in the the kamailio-lb.log a line saying:

 

Nov 9 00:11:53 sp1 lb[41958]: WARNING: <script>: IP '1.2.3.4' is blocked and banned - R=<null> ID=304153-3624477113-19168@tedadg.testlab.local

 

The banned IP will be stored in kamailio memory, you can check the list via web interface or via the following command:
 
# ngcp-kamctl lb fifo sht_dump ipban

Bruteforcing SIP credentials

This is a very common attack you can easily detect checking your /var/log/ngcp/kamailio-proxy.log. You will see INVITE/REGISTER messages coming in with strange username. Attackers is trying to spoof/guess subscriber´s credentials, which allow them to call out.
The very first protection against these attacks is : use STRONG passwords. Always.
Nevertheless NGCP allow you to detect and block such attacks quite easily, by configuring the following /etc/ngcp-config/config.yml section :
 
  failed_auth_attempts: 3
  failed_auth_ban_enable: 'yes'
  failed_auth_ban_time: 3600

 

You may increase the number of failed attempt if you want (in same cases it´s better to be safed, some users can be banned accidentally because they are not writing the right password) and adjust the ban time. If a user try to authenticate an INVITE (or REGISTER) for example and it fails more then 3 times, the “user@domain” (not the IP as for Denial of Service attack) will be block for 3600 seconds.
In this case you will see in your kamailio-lb.log the following lines:

 

Nov 9 13:31:56 sp1 lb[41952]: WARNING: <script>: Consecutive Authentication Failure for 'dgrotti@mydomain.com' UA='Linphone' IP='192.168.0.3' - R=<null> ID=313793-3624525116-589163@testlab.local
 
Both the banned IPs and banned users are shown in the Admin web interface, you can check them by accessing the “Security Bans” section in the main menu.
You can check the banned user as well by retrieving the same info directly from kamailio memory, using the following commands:
 
# ngcp-kamctl lb fifo sht_dump auth

 
Additionally you can check the UA value from the log line, and decide to add that User Agent to your User Agent blacklist (see “Blocking User Agent” paragraph).

Increasing your security

Let’s see now how to increase your NGCP security by adding an additional security check and how to integrate that with Fail2ban.
Malicious attacker usually use well-know tools (e.g. sipvicious) and well known User Agents. An additional level of security would be blocking IPs based on the SIP User Agent, let’s see the step to implement that into you NGCP and how to integrate this with fail2ban.

 

Blocking User Agent

In order to mitigate attack and malicious users based on SIP UA you need to patch your kamailio configuration. If you want to block his IP you have to install and configure fail2ban.

Let’s start to create our customtt file:

 

cp /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.tt2 /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.customtt.tt2

 

open you /etc/ngcp-config/templates/etc/kamailio/lb/kamailio.customtt.tt2 file and add the following lines:

 

route
{
...

if(!sanity_check(“1511”, “7”))
{
xlog(“L_WARN”, “Malformed SIP message detected – [% logreq_init -%]\n”);
exit;
}

## filtering by UA : blacklist
if( is_method(“REGISTER|INVITE”) && ($ua =~ “friendly-scanner” || $ua =~ “sipvicious” || $ua =~ “^sipcli.+”) )
{
            xlog(“L_WARN”, “Request rejected, malicious UA=’$ua’ from IP=$si – [% logreq_init -%]\n”);
            exit;
}
 
after that run “ngcpcfg apply”.
Now NGCP will discard all the requests coming from those malicious UAs.
But you want more! You want to block their IPs using NGCP firewall. To do that let’s see how to install and configure fail2ban to work with your NGCP.

 

Integrating fail2ban with NGCP

Just install the debian package, configuration directory will be in /etc/fail2ban:
 
# apt-get update
# apt-get install fail2ban

 
We need to modify the following file /etc/fail2ban/jail.conf. We can add IP that the system should ignore, like 127.0.0.1 and other IPs (if you have peerings for example):
 
##General section
ignoreip = 127.0.0.1 SOME OTHER NGCP IPS

 

Also we need to add to the bottom of the file the [kamailio-iptable] section:

 

[kamailio-iptables]
enabled = true
filter = kamailio
action = iptables-allports[name=KAMAILIO, protocol=all]
logpath = /var/log/ngcp/kamailio-lb.log
maxretry = 1
bantime = 3600

 

Then we need to create the filter, just creating the file /etc/fail2ban/filter.d/kamailio.conf :

 

[Definition] 
# filter for kamailio messages
failregex = Request rejected, malicious UA='.*' from IP='<HOST>'

 
In this way as soon as fail2ban will fetch that line in kamailio-lb.log, it will put the IP in iptables and block it for 1 hour.
You may decide to ban IP instead of user in case of failed authentication. This is quite easy, just change your kamailio.conf filter into:
 
[Definition]
# filter for kamailio messages
failregex = Request rejected, malicious UA='.*' from IP='<HOST>
            Consecutive Authentication Failure for '.*' UA='.*' IP='<HOST>'

 
Also you should adjust you config.yml configuration, in order to ban the user just few seconds:
 
failed_auth_attempts: 3
failed_auth_ban_enable: 'yes'
failed_auth_ban_time: 1

 
then run:
 
# ngcpcfp-apply
# /etc/init.d/fail2ban restart

 
In this way, after 3 attempts, the IP and not the user will be banned for 3600 seconds by fail2ban.
To apply the changes to fail2ban just restart the daemon:
 
# /etc/init.d/fail2ban restart
 
You can check what’s going on in /var/log/fail2ban.log (in this example ban time was 10sec):
 
2014-11-06 10:01:45,203 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2014-11-06 10:01:45,206 fail2ban.jail : INFO Creating new jail 'ssh'
2014-11-06 10:01:45,206 fail2ban.jail : INFO Jail 'ssh' uses poller
2014-11-06 10:01:45,238 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-11-06 10:01:45,240 fail2ban.filter : INFO Set maxRetry = 6
2014-11-06 10:01:45,242 fail2ban.filter : INFO Set findtime = 600
2014-11-06 10:01:45,244 fail2ban.actions: INFO Set banTime = 600
2014-11-06 10:01:45,333 fail2ban.jail : INFO Creating new jail 'kamailio-iptables'
2014-11-06 10:01:45,333 fail2ban.jail : INFO Jail 'kamailio-iptables' uses poller
2014-11-06 10:01:45,338 fail2ban.filter : INFO Added logfile = /var/log/ngcp/kamailio-lb.log
2014-11-06 10:01:45,340 fail2ban.filter : INFO Set maxRetry = 1
2014-11-06 10:01:45,342 fail2ban.filter : INFO Set findtime = 600
2014-11-06 10:01:45,343 fail2ban.actions: INFO Set banTime = 10
2014-11-06 10:01:45,370 fail2ban.jail : INFO Jail 'ssh' started
2014-11-06 10:01:45,406 fail2ban.jail : INFO Jail 'kamailio-iptables' started
2014-11-06 10:01:46,489 fail2ban.actions: WARNING [kamailio-iptables] Ban 1.1.2.12
2014-11-06 10:01:56,562 fail2ban.actions: WARNING [kamailio-iptables] Unban 1.1.2.12

 
We are working to include fail2ban in the next upcoming NGCP version.

Leave a Reply

Your email address will not be published. Required fields are marked *