返回列表 發帖

RouterOS and asterisk

As a result of constantly attacks to my IP01, I am planning to set up a firewall in the middle.
Bought RB750G last summer and haven't used it (planned as VPN client but never succeeded). It seems to be much advanced than home router.

Anyone has experience with RouterOS and asterisk setup for the following (basic) objectives?
1. Protect IP01 from attacks.
2. IP01 works as before(outside normal users should be able to access my IP01).

TIA.

回復 19# 角色


    It works with hostnames too. However it needs frequently(typ. 10 min.) running script to resolve the hostnames.
The white-list starts with the "host_" string and hostnames are "hided" within the comments.
See https://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules

Be aware of the Caveat too.
RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610

TOP

Does your white-list allow hostname instead of IP address?

PS Please see your PM since the port number of my Asterisk box has been changed to a new one.

TOP

回復 17# 角色


    No more monkey jumping in the bed, I mean the white-list method DOES give a better protection to my asterisk server. However, it has its main drawback, i.e., all users must be in the white-list.
RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610

TOP

还有人hack楼主的Asterisk box吗?

TOP

This thread plays a very important step when we deploy a routerboard as the front end router and the back-end is an asterisk server.

TOP

The marking of outgoing rtp works, but not the incoming rtp as the rtp stream is from another ip...

This QoS is not perfect...

TOP

本帖最後由 Qnewbie 於 2012-6-8 22:28 編輯

Hope the white-list protection works.

Another field is the QoS. As ADSL, the bandwidth is always a problem(OK, for those who has dual-wan, 100M etc., plz ignore this issue). Following the wiki from Mikrotik. Here is my QoS setup:
1. Mark packets.
2. Define queue tree.
3. Define priority in queue tree.

1. For RTP traffic, it is hard to mark with layer 7 protocol. I simply mark the packets to/from the asterisk ip(here is 192.168.88.100) as voip_in and voip_out.
/ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=voip_in passthrough=no  dst-address=192.168.88.100 in-interface=WAN
add chain=postrouting action=mark-packet new-packet-mark=voip_out passthrough=no  src-address=192.168.88.100 out-interface=WAN

Other traffic is marked by
/ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=others_in passthrough=no in-interface=WAN
add chain=postrouting action=mark-packet new-packet-mark=others_out passthrough=no out-interface=WAN


2. Define your queue tree:
Note: change Max upload and download speed under DSL_IN(11M in) and DSL_OUT(600k out) (global-in gloabal-out) after your xDSL:
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=\
   10000000 max-limit=11000000 name=DSL_IN packet-mark="" parent=global-in \
   priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500000 \
   max-limit=600000 name=DSL_OUT packet-mark="" parent=global-out priority=1 \
   queue=default


3. Define your priorities:
/queue tree
add name=voip_in packet-mark=voip_in parent=DSL_IN priority=3
add name=voip_out packet-mark=voip_out parent=DSL_OUT priority=3
add name=remaining_in packet-mark=others_in parent=DSL_IN priority=6
add name=remaining_out packet-mark=others_out parent=DSL_OUT priority=6


The drawback with this QoS is the memory is shrinking with 2M(12M left)!

Reference:
http://wiki.mikrotik.com/wiki/Ba ... n_layer-7_protocols
http://wiki.mikrotik.com/wiki/Voip

TOP

本帖最後由 Qnewbie 於 2012-5-31 06:14 編輯

As the black_list of hacker's ip addresses increases, it is hard to handle it.

Let's think the opposite: white list! I have 10 sip providers and a few extensions. Hence this white list would be much easier to handle.  

Divide the white-list into two groups:
#1. DNS resolvable, like, sip providers, your client's dyndns address(es) etc.
#2. Static ip addresses, like your local ip address pool. (which cannot be find out through DNS)

For the DNS resolvable group:
Copy the script from RouterOS's wiki(http://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules, be aware of the Ooops too):
/system script add \
   name=resolvehostnames policy=write,read \
   source="# define variables\r\
   \n:local list\r\
   \n:local comment\r\
   \n:local newip\r\
   \n\r\
   \n# Loop through each entry in the address list.\r\
   \n:foreach i in=[/ip firewall address-list find] do={\r\
   \n\r\
   \n# Get the first five characters of the list name\r\
   \n  :set list [:pick [/ip firewall address-list get \$i list] 0 5]\r\
   \n\r\
   \n# If they're 'host_', then we've got a match - process it\r\
   \n  :if (\$list = \"host_\") do={\r\
   \n\r\
   \n# Get the comment for this address list item (this is the host name to u\
   se)\r\
   \n    :set comment [/ip firewall address-list get \$i comment]\r\
   \n\r\
   \n# Resolve it and set the address list entry accordingly.\r\
   \n    :set newip [:resolve \$comment]\r\
   \n    /ip firewall address-list set \$i address=\$newip\r\
   \n    }\r\
   \n  }"


And scheduler(run each hour, you can change the frequency if you like):
/system scheduler add \
   comment="" disabled=no interval=1h name=updatehostnames on-event=resolvehostnames \
   start-date=jan/01/1970 start-time=00:00:00


Add your host name to your list(listname must started with host_), for instance, you like to add mouselike.org to your list host_allowedlist:
/ip firewall address-list add address=0.0.0.0 comment=mouselike.org list=host_allowedlist


After you add all your host names to the list, run the script resolvehostnames.

For the static ip addresses, just use address-list add command. For instance, you add your IP01(192.168.88.100) to allowed_staticiplist:
/ip firewall address-list add address=192.168.88.100 comment=IP01 list=allowed_staticiplist


Done for adding allowed ip address list!

Next step is to allow white list to use port 5060(The first statement is to put all udp 5060 to extra control chain named allowedsip):
/ip firewall filter add chain=forward action=jump jump-target=allowedsip protocol=udp dst-port=5060
/ip firewall filter add chain=allowedsip action=accept protocol=udp src-address-list=host_allowedlist dst-port=5060
/ip firewall filter add chain=allowedsip action=accept protocol=udp src-address-list=allowed_staticiplist dst-port=5060


And drop all others!
/ip firewall filter add chain=allowedsip action=drop


Now those are not in the allowed list would not be able to launch attack through udp port 5060!

TOP

回復 10# Qnewbie

You are now in the right track.

TOP

我換了1部機upload也是有問題, 請壇主處理!
Welcome to my TaoBao shop: http://mandymak520.taobao.com/

TOP

Mask your outgoing packets as from the WAN:
/ip firewall src-nat add action=masquerade out-interface=WAN


Port forwarding for 5060 & 10000-20000(IP01 ip is 192.168.88.100):
/ip firewall nat add chain=dstnat protocol=udp dst-port=5060 action=dst-nat to-addresses=192.168.88.100 to-ports=5060
/ip firewall nat add chain=dstnat protocol=udp dst-port=10000-20000 action=dst-nat to-addresses=192.168.88.100 to-ports=10000-20000


Drop intruders(range 188.161.208.1-188.161.211.254, add more as you find more):
/ip firewall address-list add list=blacklist address=188.161.208.1-188.161.211.254
/ip firewall filter add chain=input src-address-list=blacklist action=drop

TOP

本帖最後由 Qnewbie 於 2012-1-9 22:13 編輯

回復 8# 雯雯

The file is corrupted The VPN does not work, yet.

I set up the RB750G in the frontline. Put port forwarding rules for 5060 & 10000-20000. All traffic from intruders' ip are dropped.
Both incoming call and outgoing call work!

Add the block-list by hand. Missing the dynamic black-list add-on feature as fail2ban.

TOP

本帖最後由 雯雯 於 2012-1-9 23:13 編輯

回復 1# Qnewbie

RouterOS和IP01我都有, 不過RouterOS我是用來做AP, 而IP01我是用VPN去connect (基本上我現時所有的Asterisk都是用VPN去connect).

你想在RouterOS set哪種VPN client? 附件這個file我之前試過跟着來set PPTP VPN Server是work的, 供你參考!

5200891623432.rar (996.38 KB)
Welcome to my TaoBao shop: http://mandymak520.taobao.com/

TOP

回復 6# Qnewbie

Too bad. What is your router model?

Should try to set up a better firewall at the router level and use ports of your choice for incoming calls and registration.

Please also check your internal network PCs has problems such as viruses or other things.

My experience in the past was that hackers tried to come for a while and if your security has been strengthened, the chance of coming back is lower and less frequent. I also immediately put their IPs at the router level so that they were in no way to get a response from my asterisk. This is very important. Their IPs drop immediately means they know nothing of my side. They cannot try other methods.

In IP01, there is no way to set up like this. Also as a "server" or a linux based device, hacker already knows its existence.

TOP

返回列表