Security

如何停止在 Asterisk 上的註冊嘗試

  • April 26, 2013

主要問題:

我的 Asterisk 日誌中充斥著這樣的消息:

[2012-05-29 15:53:49] NOTICE[5578] chan_sip.c: Registration from '<sip:912@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 15:53:50] NOTICE[5578] chan_sip.c: Registration from '<sip:912@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 15:53:55] NOTICE[5578] chan_sip.c: Registration from '<sip:100@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 15:53:55] NOTICE[5578] chan_sip.c: Registration from '<sip:100@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 15:53:57] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device <sip:100@xx.xx.xx.xx>;tag=cb23fe53
[2012-05-29 15:53:57] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device <sip:100@xx.xx.xx.xx>;tag=cb23fe53
[2012-05-29 15:54:02] NOTICE[5578] chan_sip.c: Registration from '<sip:100@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 15:54:03] NOTICE[5578] chan_sip.c: Registration from '<sip:100@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 21:20:36] NOTICE[5578] chan_sip.c: Registration from '"55435217"<sip:55435217@xx.xx.xx.xx>' failed for '65.218.221.180' - No matching peer found
[2012-05-29 21:20:36] NOTICE[5578] chan_sip.c: Registration from '"1731687005"<sip:1731687005@xx.xx.xx.xx>' failed for '65.218.221.180' - No matching peer found
[2012-05-30 01:18:58] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=dEBcOzUysX
[2012-05-30 01:18:58] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=9zUari4Mve
[2012-05-30 01:19:00] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=sOYgI1ItQn
[2012-05-30 01:19:02] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=2EGLTzZSEi
[2012-05-30 01:19:04] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=j0JfZoPcur
[2012-05-30 01:19:06] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=Ra0DFDKggt
[2012-05-30 01:19:08] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=rR7q7aTHEz
[2012-05-30 01:19:10] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=VHUMtOpIvU
[2012-05-30 01:19:12] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=JxZUzBnPMW

我將 Asterisk 用於自動電話系統。它唯一做的就是接收來電並執行 Perl 腳本。沒有撥出電話,沒有接到實際電話的來電,沒有在 Asterisk 註冊的電話。

似乎應該有一種簡單的方法來阻止所有未經授權的註冊嘗試,但我已經為此苦苦掙扎了很長時間。似乎應該有一種更有效的方法來防止這些嘗試甚至到達我的 Asterisk 日誌。我可以打開/關閉一些根本不允許註冊嘗試的設置。有沒有辦法做到這一點?

另外,我是否正確假設“來自…的註冊”消息可能是人們試圖訪問我的 Asterisk 伺服器(可能是在我的帳戶上撥打電話)?這些消息和“發送虛假身份驗證拒絕……”消息有什麼區別?

更多細節:

我知道“來自…的註冊”行是試圖訪問我的 Asterisk 伺服器的入侵者。設置 Fail2Ban 後,這些 IP 在 5 次嘗試後被禁止(出於某種原因,一個嘗試了 6 次,但 w/e)。

但我不知道“發送虛假身份驗證拒絕……”消息是什麼意思,也不知道如何阻止這些潛在的入侵嘗試。據我所知,他們從來沒有成功過(我的賬單或任何東西上都沒有看到任何奇怪的收費)。

這是我所做的:

  1. 設置硬體防火牆規則,如下所示。在這裡,xx.xx.xx.xx是伺服器yy.yy.yy.yy的 IP 地址,是我們設施的 IP 地址,並且aa.aa.aa.aabb.bb.bb.bbcc.cc.cc.cc是我們的 VoIP 提供商使用的 IP 地址。理論上,埠 10000-20000 應該只能被這三個 IP 訪問。
+-------+-----------------------------+----------+-----------+--------+-----------------------------+------------------+
| Order |         Source Ip           | Protocol | Direction | Action |        Destination Ip       | Destination Port |
+-------+-----------------------------+----------+-----------+--------+-----------------------------+------------------+
|   1   | cc.cc.cc.cc/255.255.255.255 |    udp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |    10000-20000   |
|   2   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |        80        |
|   3   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       2749       |
|   4   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |        443       |
|   5   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |        53        |
|   6   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       1981       |
|   7   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       1991       |
|   8   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       2001       |
|   9   | yy.yy.yy.yy/255.255.255.255 |    udp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |      137-138     |
|   10  | yy.yy.yy.yy/255.255.255.255 |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |        139       |
|   11  | yy.yy.yy.yy/255.255.255.255 |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |        445       |
|   14  | aa.aa.aa.aa/255.255.255.255 |    udp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |    10000-20000   |
|   17  | bb.bb.bb.bb/255.255.255.255 |    udp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |    10000-20000   |
|   18  |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       1971       |
|   19  |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       2739       |
|   20  |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |     1023-1050    |
|   21  |            any              |    all   |  inbound  |  deny  |        any on server        |      1-65535     |
+-------+-----------------------------+----------+-----------+--------+-----------------------------+------------------+
  1. 設置 Fail2Ban。這是一種工作,但它是被動的而不是主動的,並且似乎並沒有阻止一切(比如“發送假身份驗證拒絕……”消息)。
  2. 在 sip.conf 中設置規則以拒絕除我的 VoIP 提供商之外的所有內容。這是我的 sip.conf,幾乎所有註釋行都被刪除(以節省空間)。底部的通知是我試圖拒絕除我的 VoIP 提供商之外的所有內容:
[general]
context=default
allowguest=no
allowoverlap=no
bindport=5060
bindaddr=0.0.0.0
srvlookup=yes  

disallow=all
allow=g726
allow=ulaw
allow=alaw
allow=g726aal2
allow=adpcm
allow=slin
allow=lpc10
allow=speex
allow=g726  

insecure=invite  

alwaysauthreject=yes  

;registertimeout=20
registerattempts=0
register => user:pass:user@mysipprovider.com:5060/700  

[mysipprovider]
type=peer
username=user
fromuser=user
secret=pass
host=sip.mysipprovider.com
fromdomain=sip.mysipprovider.com
nat=no
;canreinvite=yes
qualify=yes
context=inbound-mysipprovider
disallow=all
allow=ulaw
allow=alaw
allow=gsm
insecure=port,invite  

deny=0.0.0.0/0.0.0.0
permit=aa.aa.aa.aa/255.255.255.255
permit=bb.bb.bb.bb/255.255.255.255
permit=cc.cc.cc.cc/255.255.255.255

這些防火牆規則實施了多長時間?如果您只是在不久前配置了它們,並且根據您配置它們的方式,這些規則可能僅適用於新的連接嘗試,但仍然允許任何已建立的連接。因此,仍然允許通過已建立的連接進行註冊嘗試。

您沒有提供有關您正在使用的防火牆類型的足夠資訊,但請查看是否可以在埠 5060 上找到已建立連接的列表,然後手動刪除它們。現在應該根據您的防火牆規則阻止後續的新連接嘗試。

我還看到您bindaddr=0.0.0.0在 Asterisk 配置文件中進行了設置,這會導致 Asterisk 監聽所有可用的介面。該伺服器有多少個 IP 地址?如果它有超過 1 個 IP 地址,那麼您需要在防火牆規則中指定它們,因為目前您只列出xx.xx.xx.xx目標 IP 以阻止埠 5060 上的傳入流量。

引用自:https://serverfault.com/questions/394399