This is a second blog post discussing the security features of sipXcom. In the first post sipXcom Firewall Settings we covered Call Rate Limits and also blocking bad actors with blocks for bad User Agents. In this post we’ll dive into sipXcom’s Fail2Ban settings for SIP traffic.

Fail2ban

Fail2ban (https://www.fail2ban.org/) is an Open Source application that scans log files for numbers of occurrences of certain strings from individual ip addresses and counts them for a given amount of time. If the count exceeds a set value within the amount of time fail2ban can write a rule into iptables (the firewall) to block the offending IP address.

In sipXcom fail2ban is used to count the number of SIP Methods (SUBSCRIBE, INVITE, REGISTER, ACK, OPTIONS) in /var/log/sipxpbx/firewall/firewall-sip.log. Fail2ban also counts the number of occurrences of some well known SIP Denial of Service Attack log entries in the file /var/log/sipxpbx/firewall/firewall-sipdos.log.

Fail2ban Settings

You’ll find sipXcom’s fail2ban settings in System -> Security. Fail2Ban will scan the log files mentioned above. In System -> Security -> Settings you can set the defaults that will be used for all of the rules under System -> Security -> SIP Security

Ensure your internal SBC and Gateway IP addresses are in Ignore IP’s. You’ll want to make sure your internal phones, however, are in the range so that you can protect the system from misconfigured devices!

Ban Time is the amount of time that an IP address will remain blocked in iptables. A -1 can be used for SIP DOS to keep the IP in the iptables permanently.

The Max Retry entry is the number of occurrences in the log file from any one IP address within the amount of time specified in Find Time.

Set Ban Time to something bigger than the default of 600 seconds (10 minutes). This is the time in seconds that offending IP’s will be blocked.

Set the find time to 60 seconds to make it easy to think about # of messages per minute.

SIP Security

In System -> Security -> SIP Security -> Advanced Settings you can control which SIP Method messages are monitored in /var/log/sipxpbx/firewall/firewall-sip.log are parsed by Fail2Ban and how many of those particular SIP Method messages are allowed before a rule is added into IPTables to block.

 

You should see the defaults that you entered on the settings page populated for each SIP Method.

Enable all of the rules configure the following as a good starting point for individual phones:

SIP Register

Ban Time 6000

Max Retry 10

Find Time 60

SIP Invite

Ban Time 6000

Max Retry 6

Find Time 60

SIP Subscribe

Ban Time 6000

Max Retry 10

Find Time 60

SIP Options

Ban Time 6000

Max Retry 10

Find Time 60

SIP Ack

Ban Time 6000

Max Retry 10

Find Time 60

 

Adjust for Your Environment

As with the Call Rate Limits in the last blog post, your mileage might vary. You should adjust the Max Retry to levels that suit your environment. You can set the system to ignore special devices like SBC’s and Gateways that are busy.

 

If you need to clear IP’s from iptables quickly, just issue ‘service iptables restart’ on the server.

You’ll find IP’s that are banned added to /var/log/sipxpbx/sipxsecurity.log.

 

More About the sipXcom Project:

From 2010 to 2015, sipXecs primary development contributions were provided by the development team at eZuce, Inc. The sipXcom open source communications project was established in January of 2015 from a fork in the sipXecs project by the development team at eZuce, Inc. With the creation of sipXcom, this team shifted its focus to contributing to the new project and no longer maintains sipXecs code nor participate in the SIPfoundry forums.

The experts who have helped to build sipXecs into the incredible product that it is will be found in the Google Groups sipxcom-users@googlegroups.com (https://groups.google.com/d/forum/sipxcom-users) and sipxcom-dev@googlegroups.com (https://groups.google.com/d/forum/sipxcom-dev).