Is your Asterisk system under heavy attack

This week one of our customer was attacked by more than 10000 Unique IPs. These hackers try to register on your system using some random username and easy to crack password. Few week back I wrote few tips on securing your asterisk servers.

Even if you took all the steps to secure your asterisk, still you dont want these attackers to flood your system with dummy registration requests. Use iptables and easy to implement shell script to block these attackers. You can easily block flooding traffic to your system. Iptables, can be used to filter IP traffic, provides high level packet filtering. Use the shell script below and setup a cron and have a good night sleep. The script will automatically block the IPs flooding your Asterisk system with failed registration requests.

Monitor Asterisk’s Log for Failed Registrations

In most cases of a sip flood attack, the host tries to register on your Asterisk. All the failed attempts from these hosts are identified in the Asterisk log (/var/log/messages or /var/log/full if you are using Asterisk Based PBX  as “No matching peer found.” The following script scans /var/log/full for these patterns, strips the IP address of attacker, and block it.

Script reads the log file and use IPTABLES to block any further attempts. While reading the log file it always set a check in and check out flag. So that next time it can start from last check out position.

Copy the code and save in /usr/local/bin/check_sip_attack
chomod 755 /usr/local/bin/check_sip_attack
#########Start from Next line  ##########

# Script Donated by
#crontab -l
# make an entry in Crontab
#01-59/2 * * * * /usr/local/bin/check_sip_attack

BINDIR=`dirname $0`; echo $BINDIR | grep ^/ > /dev/null || BINDIR=`pwd`/`dirname $0`
arch=”`uname -m`-`uname -s`”

# echo “BINDIR= ”  ${BINDIR}
cd /var/log/asterisk
if [ ! -r ${log} ]; then
printf “could not read error file (${log})n”
start=”`grep -n -e CRON: start ${log} | tail -n -1 | sed s/:/ /g | awk ‘{print $1}’`”
stop=”`grep -n -e CRON: stop ${log} | tail -n -1 | sed s/:/ /g | awk ‘{print $1}’`”
if [ "$start" = "" ]; then start=0; fi
if [ "$stop" = "" ]; then stop=0; fi
if [ "$start" -le "$stop" ]; then
error=”`tail -n +${stop} ${log} | grep -i Registration | grep -i Failed | tail -n +1`”
if [ ! ( "x$error" = "x" ) ]; then
printf “nnCRON: start — sending info — `date`nn” >> ${log}
ccc=`printf “%s” “$error” | wc -l | awk ‘{print $1}’`
if [ $ccc -gt 0 ]; then
printf “EXCERPT FROM ASTERISK LOG FILE ${log}:nn%snnDONE.nn” “$error”
printf “%s” “$error” > /tmp/sipappatck.tmp
for ip in `cat /tmp/sipappatck.tmp | awk ‘{print $11}’ | sort | uniq | sed s/’//g` ; do
echo “iptables -I INPUT -s $ip -j DROP”
/sbin/iptables -I INPUT -s $ip -j DROP
printf “nnCRON: stop — info sent — `date`nn” >> ${log}

exit 0

# end
#########Stop here ##########

Final step is to schedule the script with cron. Add a line in cron.

01-59/2 * * * * /usr/local/bin/check_sip_attack
This will run the scrip for every two minutes (Of course you can change the timings) and have a good night sleep.

Any questions or comments are very welcome.