Let me start of by saying that I'm a noob, and what I've figured out so far has only been by stumbling my way through it. I have Googled around and the solution may be out there already, but it was probably all just way over my head, so PLEASE include as much detail as possible in your solution.
I have a Ubuntu 10.04 server running Asterisk for an automated phone system. Its sole purpose is incoming calls, and it never connects to a person. It is an phone-licensing system, so they input the information about their product and we output an unlock code for them to type into the program. When a call is received, it executes a Perl script with AGI, the script is a series of prompts followed by the output of the unlock code.
All of this is working great. However, it seemed to stop working on occasion. I looked at the Asterisk logs and found a TON of entries like this:
[May 22 10:51:27] NOTICE[10663] chan_sip.c: Registration from '"guest12345"<sip:[email protected]>' failed for 'yy.yy.yy.yy' - No matching peer found
These are obviously intrusion attempts. xx.xx.xx.xx is my server's IP address and yy.yy.yy.yy is presumably the intruder's IP address.
I researched a bit on Google and found a solution by setting up Fail2Ban, which seems to be working. This morning, it has banned two ip addresses so far after 5 unsuccessful intrusion attempts.
I'm fairly confident that nobody will be able to get in within only 5 attempts, but this still seems less secure than I would like.
My understanding is that the Asterisk service running on my server goes out and registers with my VoIP provider every so often to tell it that it's still connected and ready to receive calls. As far as I know, that's the only "registration" necessary, so is there a way for me to block all outside registration attempts?
Perhaps I'm wrong about this, but it looks to me as though they are trying to register with my server as though my server was the VoIP provider. Perhaps that's the way you get an actual phone to connect with the Asterisk server? Since no actual phones are involved on my end (incoming calls only, never transferred to a person), is there a way for me to disable this part altogether?
EDIT:
From sip.conf:
registerattempts=0 ; Number of registration attempts before we give up
; 0 = continue forever, hammering the other server
; until it accepts the registration
; Default is 0 tries, continue forever
register => 1111111:password:[email protected]:5060/700
[inphonex]
type=peer
username=1111111
fromuser=1111111
secret=password ; password used to login their website (same as in register =>)
host=sip.inphonex.com
fromdomain=sip.inphonex.com
nat=yes ; my asterisk is behind nat
canreinvite=yes
qualify=yes
context=inbound-inphonex; context to be used in extensions.conf for inbound calls from inphonex
disallow=all
allow=ulaw
allow=alaw
allow=gsm
insecure=port,invite
You can use the iptables firewall to block ALL inbound connections except SIP from the IP that your trunk provider uses.
iptables is shipped with e.g. AsteriskNow but can also be downloaded and installed separately.
I'm not an iptables expert so won't try to give you the full details about how to configure it in case I get it wrong but there is a wealth of information only a google click away and as your rules will be quite simple, it should not be too complicated to set up
Are you allowing anonymous sip calls or are you registering to a server that transfers the user looking for their unlock code?
If you're asterisk server is registering to a SIP service then you can isolate your SIP ports to only allow inbound connections from your SIP register as long as they stay in the middle. In response to your concern about keeping the system a usable web server, you can still keep port 80 open for all inbound connections.
If you're allowing inbound anonymous sip cconnections you're at more difficult position. You obviously can't restrict SIP connections by IP. Make sure any registrations you do have have complex passwords and create a blackhole path that dumps any call that doesn't match your application's URI. Fail2Ban like you already have setup is also the best answer I've come across for limiting the attacks.
If you NEED to allow SIP connections from arbitrary outside addresses setting up Fail2Ban is probably your best solution, in conjunction with LONG SIP Secrets (10-11 character minimum). Assuming you set up all the devices that connect to your server legitimate users will never need to type their SIP secret.
Otherwise as others have suggested you really want to lock down access to the VOIP server as much as possible -- Restrict incoming SIP connections to the minimum set of addresses that need to connect, and possibly force remote users to come through a VPN in order to access the SIP server (if it doesn't kill your audio quality).
A note on general security, Asterisk is pretty well known for having security holes & lurking bugs - This Guy has made a bit of an avocation out of finding new and interesting breakage in Asterisk.
In addition to the steps above to protect Asterisk from being exploited I would suggest isolating the VOIP box as much as possible (on its own subnet, in its own VLAN) to protect the rest of your infrastructure in the event someone does find a way in and tries to do something nasty.
You are correct that " that's the way you get an actual phone to connect with the Asterisk server". Phones register to the server on the same port that's used to register with the provider.
If you are only using SIP to talk to the provider, then simply set-up a firewall to only allow SIP from the provider.
Fail2Ban is one solution but gives adversaries 5 chances when they should be getting none.