In this guide, I’ll show you how to secure your Asterisk and FreePBX setup by setting up an effective VoIP Blacklist using Geo-location filtering. Nowadays there are lots of brute force attack and VoIP Fraud attempts targeting Asterisk, FreePBX and any other PBX system on the internet.
It is a task of any systems Administrator to ensure success rate for such attempts is minimized – close to zero. One way to secure Asterisk and FreePBX from such attempts is by using Fail2ban and VoIP Blacklist.
This will save you bandwidth and protect your business. To make our work easier, we will use VoIPBL which is distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse of a network that has publicly accessible PBX’s.
This guide is a part of building an enterprise open source VOIP System on Linux. If you don’t have Asterisk or FreePBX installed, check:
For Ubuntu and Debian: How to Install Asterisk 16 with FreePBX 14 on Ubuntu / Debian
How VoIPBL secure?
VoIPBL Geolocation feature allows you to block all network traffic from countries that a network does not need to communicate with, or that are known originators of malicious activity. From their site, you can check if your IP address is on the blacklist.
How To install VoIPBL
VoIP Blacklist depends on Fail2ban to effect blacklisting on your PBX server. Ensure you have a
fail2ban package installed and service running:
sudo yum install epel-release sudo yum install fail2ban fail2ban-systemd
For Ubuntu and other Debian families, run:
sudo apt-get -y install fail2ban ufw
If you’re running CentOS 6 or any other RHEL 6 family, install
iptables-services and fail2ban without
sudo yum install iptables-services fail2ban
Default settings for Fail2ban are configured on.
A basic fail2ban configuration will have ssh monitoring. Let’s add this to
$ sudo vim /etc/fail2ban/jail.local
Add the following content:
[postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3 [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [vsftpd] enabled = false port = ftp filter = vsftpd logpath = /var/log/auth.log maxretry = 5 [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3
Then start and enable fail2ban service:
sudo systemctl enable fail2ban.service sudo systemctl start fail2ban.service
voipbl.sh script and place it under
wget http://www.voipbl.org/voipbl.sh -O /usr/local/bin/voipbl.sh
Make the script executable:
chmod +x /usr/local/bin/voipbl.sh
The above uses iptables. If your system support ipset, you can use the following script instead:
#!/bin/bash URL="http://www.voipbl.org/update/" set -e echo "Downloading rules from VoIP Blacklist" wget -qO - $URL -O /tmp/voipbl.txt echo "Loading rules..." # Check if rule set exists and create one if required if ! $(/usr/sbin/ipset list voipbl > /dev/null 2>&1); then ipset -N voipbl iphash fi #Check if rule in iptables if ! $(/sbin/iptables -w --check INPUT -m set --match-set voipbl src -j DROP > /dev/null 2>&1); then /sbin/iptables -I INPUT 1 -m set --match-set voipbl src -j DROP fi # Create temporary chain ipset destroy voipbl_temp > /dev/null 2>&1 || true ipset -N voipbl_temp iphash cat /tmp/voipbl.txt |\ awk ' print "if [ ! -z \""$1"\" -a \""$1"\" != \"#\" ]; then /usr/sbin/ipset -A voipbl_temp \""$1"\" ;fi;"' | sh ipset swap voipbl_temp voipbl ipset destroy voipbl_temp || true echo "Done! Rules loaded"
Then add a new Fail2ban Jail on
[asterisk-iptables] action = iptables-allports[name=ASTERISK, protocol=all] voipbl[serial=XXXXXXXXXX]
Now define the VoIP Blacklist actions for Fail2ban on /etc/fail2ban/action.d/voipbl.conf.
sudo vim /etc/fail2ban/action.d/voipbl.conf
# Description: Configuration for Fail2Ban [Definition] actionban =
" /ban/?serial= &ip= &count= " actionunban = " /unban/?serial= &ip= &count= " [Init] getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \ --read-timeout=60 --retry-connrefused --output-document=- \ --user-agent=Fail2Ban url = http://www.voipbl.org
We can now create cron job file to update rules every 3 hours:
$ sudo vim /etc/cron.d/voipbl # update blacklist each 4 hours 0 */4 * * * * root /usr/local/bin/voipbl.sh
When done, restart fail2ban daemon to get protected against VoIP Fraud:
sudo systemct restart fail2ban
You can also do advanced configurations like:
- Filter by Country
- Filter by Network
For further reading, check the Asterisk Security document by VOIP-info.