Depending on the setup you are running SIPprot can be installed in two possible locations:
- PBXware - in case you are running standalone PBXware installation on a dedicated hardware .
- SERVERware host/controller - in case you are running PBXware as a VPS in SERVERware virtual environment SIPprot should be installed on all SERVERware hosts and/or controller.
NOTE: When SIPPROT is running, please DO NOT delete any extension on PBXware before registered phones are RESET to factory settings otherwise SIPPROT will block that IP address along with all the phones registering from that IP. Notification about this IP being blocked should be sent to administrator e-mail, under assumption SMTP settings are entered on SERVERware controller.
Brute-force break-in attempts are quite frequent and VOIP PBX systems which are not protected are very sensitive to this kind of attack. The most common consequence of this kind of network attack can be:
- VOIP service downtime and unreachability
- The possibility of password stealing (SIP registration)
This can lead directly to financial loss. To avoid this kind of situation we developed SIPProt module for PBXware and SERVERware. SIPProt is protection against brute-force SIP attacks coming from the network.
How does SIPProt work?
After an attack is detected, SIPProt updates firewall rules and blocks the IP addresses from which the attack is detected for a specific amount of time. Unlike other similar solutions SIPProt works with live SIP traffic. This allows it to block attacks more efficiently than other solutions.
The following picture show how SIPProt works:
- Dynamically blocks / unblocks IP addresses from which the SIP attack comes.
- Black lists
- White lists
Working with SIPProt
In order to start, stop or check status of sipprot daemon use following command:
After installation SIPProt need to be manually started using the following command:
- /etc/init.d/sipprotd start
SIPProt will automatically be started on system restart. After SIPProt is started the configuration variable will be loaded from the configuration file. This is the location of the configuration file:
During the startup SIPProt will also read IP addresses from the WHITE and BLACK lists. IP addresses listed in the black list will be permanently blocked and IP addresses listed in the white list will be permanently allowed.
This is the path to the file which contains list IP addresses on the black list: - /home/sipprot.blacklist To add an IP address to the black list you have to add the IP address in file
Only one IP address per line is allowed. Lines that which starts with character # will be ignored. Here is an example of a black list file:
In the above example, IP addresses 192.168.1.1 and 192.168.1.2 are in the black list and those IP will be permanently blocked.
White list IP addresses are listed in the following file:
To add an IP address to the white list you have to add the IP address in file /home/sipprot.whitelist. Only one IP address per line is allowed. Lines which starts with character # will be ignored. Here is an example of a white list file:
In this example IP addresses 192.168.2.1 and 192.168.2.2 will not be blocked by SIPProt.
To stop SIPProt manually run following command:
- /etc/init.d/sipprotd stop
This command will stop SIPProt module and disable firewall rules created by SIPProt.
To get information about sipprot status use the following command:
- sipprot status
This command will give the following information:
- List of IPs dynamically blocked by SIPProt:
- List of IPs in white list:
- List of IPs blocked by black list:
The list of IPs dynamically blocked by SIPProt is a list of IPs which are blocked at the moment you execute the SIPProt status command. These IPs will be blocked if the period between two attacks from that the IP is less than the time defined by BLOCKTIME. BLOCKTIME is a variable defined in the configuration file (/home/ sipprot.conf. For example if BLOCKTIME is 600 seconds, the dynamically blocked IP will be blocked for the next 600 seconds. In case there is no new attack from that IP after 600 seconds, SIPProt will unblock that IP. So for the IP to be blocked, there must be an occurrence of an attack during BLOCKTIME.
If an IP address is in the "List of IPs in the white list" that IP will not be blocked by SIPProt.
If an IP address is in the "List of IPs blocked by the black list" that IP will be blocked regardless of whenever an attack is coming from that IP or not.
SIP REGISTER Protection
In order to protect against a SIP REGISTER attack one has to edit INI sipprot.conf file and modify the following parameters:
- blocktime (General section)
- monit_period and hit_count (SIP_REGISTER section)
Predefined default values are:
- block_time = 3600
- monit_period = 60
- hit_count = 10
Default configuration means that if sipPROT detects 10 bad registrations from some IP address within 60 seconds it will dynamically block the source IP address for next 3600 seconds.
Block threshold defines how many times an IP will be dynamically blocked before it is permanently blocked by appending it to the blacklist, valid range (1-20)
#block_threshold = 3
NOTE: Block threshold is disabled by default. In order to enable it edit sipprot.conf and remove # sign in front of it, edit threshold number and save your changes.
SIP INVITE Protection
In order to protect against a SIP INVITE attack you have to edit INI sipprot.conf file and modify the following parameter:
- rate_limit (SIP_INVITE section)
By using SIP INVITE rate limitation sipPROT does not fully protect against a SIP INVITE attack but just mitigate DoS attack impact. When a number of simultaneous SIP INVITEs exceed configured limit a notification will be sent to the system administrator. It is up to the system administrator to decide weather to permanently add source IP address to black list or to increase rate_limit if INVITES are coming from a known IP address (let say from a trunk)
Predefined default value is:
- rate_limit = 50/second
Default configuration means that sipPROT will limit number of simultaneous SIP INVITE request from single IP address at 50 per second. Given that a successful (authenticated) call requires 2 INVITEs an initial INVITE and after it INVITE with authentication it means 25 authenticated calls from single IP per second.
SIP SCANNERS Protection
In order to protect against a SIP SCANNER attack one has to edit INI sipprot.conf file and modify the following parameter:
- scanners (SIP_SCANNERS section)
scanners parameter contains comma separated list of known SIP scanners (user agents) to be blocked immediately.
scanners = friendly-scanner, sipsak, Elite
IMPORTANT: Try to hold list of scanners as short as possible given that it could affect overall system performance if list is too long.
TFTP option allows you to protect your server against TFTP brute force attacks, using rate limit. Default rate limit is 10/minute, allowing maximum of 100 burst requests.
tftp_port = 69
rate_limit = 10/minute
burst = 100
Default configuration means that if SIPprot detects more than 100 tftp request from a single IP in one minute, the further requests from that IP will be limited at 10/minute.
NOTE: To disable this type of protection comment out line tftp_port = 69 to look like this:
#tftp_port = 69
Period for burst attack depends on what suffix is used under rate_limit. If rate_limit is set to 10/minute, time period in which burst request will be counted in will be 1 minute.
Logging and Notification
sipPROT logging and notification frequency is configurable via following parameter:
- log_freq (General section)
Default value is 1/hour and it means that in case of some SIP attack a notification will be sent every hour.
Specify a comma separated list of notification recipients. If not provided or empty, a notification will be sent to all site-manager administrators
mail_to = email@example.com
NOTE: SERVERware/PBXware must have working SMTP account set up in order for notifications to be sent.
dns_protection = yes
DNS feature is introduced as a DNS vulnerability protection for older systems that might be affected with glibc stack-based buffer overflow in getaddrinfo() security flaw, otherwise named CVE-2015-7547. It is enabled by default.
WARNING: If you are not sure what feature is used for, you should under no circumstances change this option.
REST API is used for connection between SIPprot and SERVERware controller. At this moment it is only used for pushing notifications to SERVERware controller GUI but in the future versions could be expanded to allow users to change SIPprot settings from Controller's graphical interface
api_url = http://127.0.0.1:8181
WARNING: api_url should not be changed as otherwise connection between SIPprot and SERVERware instance it is running on will be broken.
sipPROT GUI in SERVERware
sipPROT is a module for SERVERware, PBXware and serves as a protection against brute-force SIP attacks coming from the network. sipPROT view can be used to make configuration changes to the sipPROT General settings that will be relayed to the SERVERware Hosts, as well as perform a White List, Black List and Notification Recipients list maintenance.
After making changes to the sipPROT General settings, click Save & Apply to save and apply new configuration.
To update Lists, select Whitelist & Blacklist tab, enter Network or IP Address and click on Add button. To remove Network or IP Address from the List, click on the Remove button in the same line. Confirmation dialog appears. Click Yes to remove Network or IP Address. Changes made to the Lists are applied automatically.
To update Notification Recipients List, select Notification Recipients tab, select or search a user in the list and click on Add button. To remove Notification Recipient from the List, click on the Remove button in the same line. Confirmation dialog appears. Click Yes to remove Notification Recipient.