SIP 网络安全
| README.md | ||
fw
SIP 网络安全
sudo apt-get install ipset fail2ban
voipbl.sh
#!/bin/bash
URL="http://www.voipbl.org/update/"
set -e
echo "Downloading rules from VoIP Blacklist"
wget -qO - $URL -O /tmp/voipbl.txt
echo "Loading rules..."
# Check if rule set exists and create one if required
if ! $(/usr/sbin/ipset list voipbl > /dev/null 2>&1); then
ipset -N voipbl iphash
fi
#Check if rule in iptables
if ! $(/sbin/iptables -w --check INPUT -m set --match-set voipbl src -j DROP > /dev/null 2>&1); then
/sbin/iptables -I INPUT 1 -m set --match-set voipbl src -j DROP
fi
# Create temporary chain
ipset destroy voipbl_temp > /dev/null 2>&1 || true
ipset -N voipbl_temp iphash hashsize 131072 maxelem 260000
cat /tmp/voipbl.txt |\
awk '{print "if ! [[ \""$1"\" =~ ^#$|^0.0.0.0 ]]; then /usr/sbin/ipset -A voipbl_temp \""$1"\" ; fi;"}' | sh
ipset swap voipbl_temp voipbl
ipset destroy voipbl_temp || true
echo "Done! Rules loaded"
/etc/cron.d/voipbl
# update blacklist each 4 hours
0 */4 * * * * root /usr/local/bin/voipbl.sh
4小时
/etc/fail2ban/jail.conf
[asterisk-iptables]
action = iptables-allports[name=ASTERISK, protocol=all]
voipbl[serial=XXXXXXXXXX]
/etc/fail2ban/action.d/voipbl.conf.
# Description: Configuration for Fail2Ban
[Definition]
actionban = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>"
actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>"
[Init]
getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \
--read-timeout=60 --retry-connrefused --output-document=- \
--user-agent=Fail2Ban
url = http://www.voipbl.org