Using IPTables to enhance SIP Security

For the non-techie audience, I’ve been tightening our security. There is a small chance I’ve tightened it a bit too far and stopped your VoIP phone at home from working.

If that’s the case, do let me know!

Technical stuff follows…

Today, I was given a very useful tip for cutting down the number of automated SIP scans that reach your asterisk server.

Most of the botnets out there which are scanning the internet looking for SIP servers they can register to (with the intention of getting some free phonecalls) have a reasonably predictable set of user-agents.

You can use the “-m string” facility in iptables to match a given string against any packet and then take action accordingly, in this case to drop the packet.

For example, around 95% [1] of the account brute force attacks we receive are from a scanner that identifies itself as “VaxSIPUserAgent”

We can stop those in their tracks with a simple rule:

iptables -A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --icase --to 65535 -j REJECT

This tells iptables to identify any packets which contains the string “User-Agent: VaxSIPUserAgent” anywhere in the packet, to match case insensitively, and when they find it – reject it.

This happens before the packet ever reaches the asterisk server itself, which keeps the asterisk server free to handle genuine requests.

We’re now blocking his combined with around 23 other User-Agents I’ve culled from various security research papers found during a cursory search, along with some that I’ve pulled out of packet captures of live attacks.

Obviously this won’t stop a determined attacker (they would most likely masquerade as a legitimate client) but it really does cut down the log noise, making the more carefully crafted attacks easier to spot.

[1] In a relatively small sample size of an hour, we saw 4834 attempted registrations of invalid usernames, 4574 of which were using this User-Agent string.

The other 260 were caught by other rules.