Securing Asterisk VoIP Server with APF and BFD

Introduction

Even though Asterisk is a reliable and secure VoIP server, it is often a target of many malicious attacks and brute force attempts. Having strong passwords is a great security advantage, however, it is not enough to ensure your Asterisk server does not get hacked.

In this tutorial, we'll discuss how to install a powerful firewall and a brute force detection software to secure your Asterisk or FreePBX server.

Things You Need To Know

What is APF?

APF is an abbreviation for Advanced Policy Firewall. It is a powerful iptables based firewall system developed by R-fx Networks. It is used to easily manage open ports on your server and allow/block access to specific IP addresses.
https://www.rfxn.com/projects/advanced-policy-firewall/

What is BFD?

BFD is an abbreviation for Brute Force Detection. It is a small shell script also developed by R-fx Networks. It basically checks the Asterisk logs using a cron job, detects brute force hack attempts, and blocks the attacker's IP address with APF.
https://www.rfxn.com/projects/brute-force-detection/

Am I a target for attacks?

If your VoIP server is on a public IP address, then you most certainly are a high target for attacks. Even though you haven't shared your IP address with anyone, hackers use tools to scan series of IP addresses, and it is very likely that your IP address will be identified. When working with remote extensions or VoIP trunks, it is essential to use tools to detect failed login attempts and block those IP addresses from accessing your system.

Step One — Install APF and BFD

By default, if you are using FreePBX 2.11 distro, it comes with a brute force detection software called fail2ban. Many users prefer fail2ban, but for this tutorial, we will look at APF and BFD as a more robust solution.

You will need to start by removing fail2ban from your system. If you are not using FreePBX 2.11 or don't have fail2ban already installed, you can skip this command.

yum remove fail2ban

We will proceed to installing APF and BFD. We will use a simple script that will fetch APF and BFD from the the R-fx Networks website and install them. We will download this script to the /usr/src/ directory and run it.

cd /usr/src/
wget http://voiplet.com/downloads/install_apf_bfd.sh
chmod 755 install_apf_bfd.sh
./install_apf_bfd.sh
chkconfig apf on

After the script completes, APF should be installed in /etc/apf/ and BFD should be installed in /usr/local/bfd/

Step Two — Configuring APF

To configure APF we will need to edit the file /etc/apf/conf.apf We can do that by opening the file with a text editor:

vim /etc/apf/conf.apf

We will start by adjusting the SET_TRIM value to 0. This value defines the total number of deny rules allowed. It is designed to save memory and decrease start time. In our case, it is crucial to block all attacking IP addresses forever.

SET_TRIM="0"

APF can do QoS on certain ports. This allows maximum network priority for these ports, which is recommended. To activate it, we will add our mostly used ports to the TOS_8 parameter.

TOS_8="22,80,5060,10000_20000"

APF uses ingress filtering to specify which ports are open to the public, and can be accessed. This has two options, IG_TCP_CPORTS for TCP and IG_UDP_CPORTS for UDP. We will need to include the ports we will be using here.

IG_TCP_CPORTS="22,80,5060,10000_20000"
IG_UDP_CPORTS="5060,10000_20000"

APF has a development mode that will stop the firewall every 5 minutes. Finally we will need to disable this by adjusting the DEVEL_MODE parameter.

DEVEL_MODE="0"

Save and close this file when you are finished. You can now apply the new configuration to APF by using the command below:

apf -r

Using APF

Now that APF is running, you can control your firewall with simple commands. Below is some APF usage examples:

Allow 192.168.1.5: apf -a 192.168.1.5
Deny 192.168.1.5: apf -d 192.168.1.5
Allow Range 192.168.1.1 --> 192.168.1.254: apf -a 192.168.1.0/24
Deny Range 192.168.1.1 --> 192.168.1.254: apf -d 192.168.1.0/24
Remove 192.168.1.5 from rules: apf -u 192.168.1.5

Using White list Mode With APF ~ Skip this step if you give public access to your PBX

In case you are using your PBX for private use, and have only specific IP addresses that will connect to your server, it is very recommended to turn on whitelist access with APF. This basically will only allow the IPs that you specify to access your server. All other IP addresses will be denied. It will highly improve your overall security, and makes is almost impossible to hack your server. To deny access from all ip addresses with APF, you will need to close all the ports on your system.

First of all, you need to make sure to whitelist your current IP address so that you do not get locked outside your server.

apf -a {your.current.ip.address}

Then you should proceed by editing /etc/apf/conf.apf and setting the values below. It is recommended to keep UPD port range 10000:20000 open to avoid RTP packet issues if you are using Asterisk PBX.

IG_TCP_CPORTS=""
IG_UDP_CPORTS="10000_20000"        

Lastly we will need to reload APF. After this step, you will only have access to your server using the IP you whitelisted earlier. Access from any other IP will be denied. So make sure you have added your current static IP address so you don't block yourself out.

apf -r        

Now that your server is on whitelist mode, nobody can access it unless you specifically grant them access. In case you want to give access to someone, you will need to get their IP address (this can be done by having them visit http://ipchicken.com) and then adding it to the APF allow list by issuing the allow command.

apf -a {client's.ip.address}

Step Three — Configuring BFD

To configure BFD we need to edit that file at /usr/local/bfd/conf.bfd We should start by opening the configuration file using a text editor such as nano or vim.

vim /usr/local/bfd/conf.bfd

Let us first look at the option TRIG. This is indicated the number of attempts to allow before blocking the IP address. The recommended value is 15, so that there's a margin in case someone safe enters a wrong password accidentally, he won't get blocked right away.

TRIG="15"

You should also enable email alerts that you receive email reports of extensive hack attempts on your server. To enable BFD email alerts, you need to set EMAIL_ALERTS to 1, and set your email address in the EMAIL_ADDRESS field.

EMAIL_ALERTS="1"

EMAIL_ADDRESS="youremail@example.com"

Now that BFD is set up correctly, you can exit the configuration file and start BFD.

bfd -s

To show recent BFD statistics, you can use this command.

bfd -a

Conclusion

BFD has built in security rules for Asterisk, so you don't need to set anything else up. You can find these rules in /usr/local/bfd/rules By now, you should have a pretty secure Asterisk or FreePBX Box that is invulnerable to brute force attempts, and has all the necessary tools to promptly block any other hack attempts.

Try this tutorial on a Cloud VoIP Server.

Includes 512MB RAM, 20GB SSD Disk, and Unlimited Transfer for $20/mo! Learn more