Avoid attacks


To avoid malicious activities such as SPIT (SPam over Internet Telephony), TDoS (Telephony Denial-Of-Service), fuzzing and War dialing, please do the following to keep your server and service secured.

 

  • From Brekeke SIP Server version 3.2, Block List feature can be used to define filter policy and block policy for malicious activity.If there is any request which matches the rule defined in [Block List] > [Filtering Policy] and/or rules in [Block List] > [Setting] page, the request will be blocked and its remote IP address and/or user name will be added automatically to [Block IP Address] and/or [Blocked User Name] pages. You can also manually define IP addressed and user names to be blocked.
  • Change default administrator “sa” password, and set strong password for system administrators.
  • Secure SIP authentication information. Using auto-provisioning function is recommend to inimize breach of the information.
  • If possible, use a firewall in the front of SIP Server to block unknown remote IP addresses.
  • Access Brekeke product Admintool with SSL
  • Use the latest version of Brekeke Products
  • Change clients’ SIP devices SIP port to other port instead of 5060
  • Use the following DialPlan rules to block “friendly-scanner”
For Brekeke ver3.2 and later products: 

Add following rules to Brekeke admintool > [SIP SERVER] > [Dial Plan] > [Preliminary] page:
By using $action = block in [Deploy Patterns],  Brekeke SIP Server will block  matched requests and put the remote IP address in the [Block List] > [Blocked IP Address] page. For Brekeke PBX 3.8 or later, the default preliminary rule ($pbx.precheck = ^true in the Mathing Patterns and $pbx.preprocess in the Deploy Patterns) are mostly equivalent to the rules below.

-------------------------------------------------------------------------------
[Matching Patterns]
$str.lowercase(User-Agent) = friendly-scanner|sundayddr|vaxsipuseragent|sipcli|custom|pplsip|vaxsipuseragent|sipscan|sipvicious|sipptk
$request = ^(\S+)

[Deploy Patterns]
$action = block
$param = Method=%1 UA=%{User-Agent}
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
[Matching Patterns]
From = sipsscuser|sipvicious
$request = ^(\S+)

[Deploy Patterns]
$action = block
$param = Method=%1 UA=%{User-Agent}
-------------------------------------------------------------------------------

With above rule in [Dial Plan] > [Preliminary] page, the remote IP addressof matched blocked requests from sipsscuser or sipvicious will be put in [Block List] > [Blocked IP Address] page, [IP Address] column, in the [reason] column, the DialPlan rule name will show and followed by blocked requests’ Method and User Agent information which is recorded by $param in the rule and the time blocked recorded was added in [Time Added] column.

Also, there are sevral sample DialPlan rules for blocking malicious packets under the Honeypot topic.

Note: These DialPlan rules should be listed under the [Dial Plan] > [Preliminary] page not [Dial Plan] > [Rules].

 

For Brekeke ver3.0 and ver3.1 products: 

Add following rules to Brekeke SIP Server admintool > [Dial Plan] > [Preliminary] page:
By using $accept = false in [Deploy Patterns], Brekeke SIP Server will not accept matched requests and there will be no response sent from Brekeke products either.

------------------------------------------------------------------------------
[Matching Patterns]
$str.lowercase(User-Agent) = friendly-scanner|sundayddr|vaxsipuseragent|sipcli|custom|pplsip|vaxsipuseragent|sipscan|sipvicious|sipptk

[Deploy Patterns]
$accept = false
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
[Matching Patterns]
From = sipsscuser|sipvicious

[Deploy Patterns]
$accept = false
-------------------------------------------------------------------------------
Related Links: