Protect your Asterisk PBX server from Black listed IP address
VoIPBL is a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX’s.
For more details http://www.voipbl.org/
For Asterisk PBX you need to install Fail2ban. This is the only required dependency needed to run VoIP Blacklist on your server.
Step 1 You must install Fail2ban on your server. You can refer to the Fail2ban website for detailed instructions and advanced configurations.
Step 2 Create the /etc/cron.d/voipbl file to update rules each 4 hours
# update blacklist each 4 hours 0 */4 * * * * root /usr/local/bin/voipbl.sh
Step 3 If you are using iptables then save the content in /usr/local/bin/voipbl.sh to automatically block offending IP Addresses, Subnet or Netblock. You must also do a chmod 700 on this file.
#!/bin/bash
# Check if chain exists and create one if required
if [ `iptables -L | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then
/sbin/iptables -N BLACKLIST-INPUT
/sbin/iptables -I INPUT 1 -j BLACKLIST-INPUT
fi
# Empty the chain
/sbin/iptables -F BLACKLIST-INPUT
wget -qO - http://www.voipbl.org/update/ |\
awk '{print "if [ ! -z \""$1"\" -a \""$1"\" != \"#\" ]; then /sbin/iptables -A BLACKLIST-INPUT -s \""$1"\" -j DROP;fi;"}' | sh
Alternatively, if your system support ipset, you can use the following script: (thanks to Graham Barnett for his contribution)
#!/bin/bash
URL="http://www.voipbl.org/update/"
set -e
echo "Downloading rules from VoIP Blacklist"
wget -qO - $URL -O /tmp/voipbl.txt
echo "Loading rules..."
# Check if rule set exists and create one if required
if ! $(/usr/sbin/ipset list voipbl > /dev/null 2>&1); then
ipset -N voipbl iphash
fi
#Check if rule in iptables
if ! $(/sbin/iptables -w --check INPUT -m set --match-set voipbl src -j DROP > /dev/null 2>&1); then
/sbin/iptables -I INPUT 1 -m set --match-set voipbl src -j DROP
fi
# Create temporary chain
ipset destroy voipbl_temp > /dev/null 2>&1 || true
ipset -N voipbl_temp iphash
cat /tmp/voipbl.txt |\
awk '{ print "if [ ! -z \""$1"\" -a \""$1"\" != \"#\" ]; then /usr/sbin/ipset -A voipbl_temp \""$1"\" ;fi;"}' | sh
ipset swap voipbl_temp voipbl
ipset destroy voipbl_temp || true
echo "Done! Rules loaded"
Step 4 Add a new Fail2ban Jail on /etc/fail2ban/jail.conf
[asterisk-iptables]
action = iptables-allports[name=ASTERISK, protocol=all]
voipbl[serial=XXXXXXXXXX]
Step 5 Now define the VoIP Blacklist actions for Fail2ban on /etc/fail2ban/action.d/voipbl.conf.
# Description: Configuration for Fail2Ban
[Definition]
actionban = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>"
actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>"
[Init]
getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \
--read-timeout=60 --retry-connrefused --output-document=- \
--user-agent=Fail2Ban
url = http://www.voipbl.org
Step 6 Now you can restart the Fail2ban daemon to get protected agains VoIP Fraud!