要使 Asterisk 獲得比較安全的方法就是將它置於防火牆之內,不對外開放服務,也就是防火牆不對 Asterisk 開啟任何通訊埠,不過當 Asterisk 需要開放對外服務或所使用的網路電信服務商有不知明的原因需要直接連線才能正常使用時,只有讓防火牆開啟通訊埠一途。
要讓防火牆對 Asterisk 開啟通訊埠,等於讓 Asterisk 門戶洞開,總會讓人對 Asterisk 之安全感到憂心,這也是我長久以來所面臨而亟待解決的問題。
最近終於從 PBX in a Flash 論壇獲得思考我需要的解決方式,然後將解決方式實作測試,測試結果非常有效實用,特別用小畫家畫了一個流程圖,讓人可一目了然,也將說明如後。
Asterisk 安全防護網流程圖
http://www.pbxinaflash.com/forum/sho...ead.php?t=8735
http://www.sunshinenetworks.com.au/h...rks-knock.html
[OSSLab]OSSEC & FreePBX
[OSSLab]fail2ban for Asterisk
http://www.voip-info.org/wiki/view/F...9+And+Asterisk
Code:
apt-get install iptables
IPtables 在一開始的時候應該是沒有規則的,所以任何封包都會接受,像這樣:
Code:
iptables -nL
出現下列結果:
Chain FORWARD (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
先建一個名為 iptables_script 的腳本:
Code:
cd /root nano -w iptables_script
將以下框內內容全貼上並儲存:
#!/bin/bash # 本腳本必須一次執行完畢,切勿逐條執行,否則會將自己擋在門外,我已經有過一次經驗。 # 設定內部 IP 所屬網段及 TCP/UDP 通訊埠變數 LANA="127.0.0.0/8" LANB="10.0.0.0/8" LANC="172.16.0.0/12" LAND="192.168.0.0/16" TCPPORTS="22,80,139,443,445,4445,5038,9001,9022,9080,10000" UPDPORTS="53,69,123,137:138,1514,4520,4569,5060,10000:20000" # 清除本機防火牆 (filter) 的所有規則(當 INPUT 鏈設定為 DROP 時要特別小心,不要把自己擋在家門外) iptables -F iptables -X iptables -Z # 定義預設規則的政策 (policy),當您的封包不在您設定的規則之內時,則該封包的通過與否,以 Policy 的設定為準 iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # 定義防火牆,建立只允許內部網路連入 Asterisk 主機之規則 iptables -A INPUT ! -i eth0 -j ACCEPT iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -m state --state RELATED -j ACCEPT iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports $TCPPORTS -s $LANA -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports $TCPPORTS -s $LANB -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports $TCPPORTS -s $LANC -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports $TCPPORTS -s $LAND -j ACCEPT iptables -A INPUT -p udp -m multiport --dports $UPDPORTS -s $LANA -j ACCEPT iptables -A INPUT -p udp -m multiport --dports $UPDPORTS -s $LANB -j ACCEPT iptables -A INPUT -p udp -m multiport --dports $UPDPORTS -s $LANC -j ACCEPT iptables -A INPUT -p udp -m multiport --dports $UPDPORTS -s $LAND -j ACCEPT # 儲存所建立之規則 iptables-save > /etc/iptables.up.rules
執行下列 iptables_script 指令:
Code:
chmod +x iptables_script ./iptables_script
Code:
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT iptables -N whitelist iptables -A INPUT -p udp -m multiport --dports 4569,5060 -j whitelist iptables -A whitelist -s 66.54.140.46 -j ACCEPT iptables -A whitelist -s 66.54.140.47 -j ACCEPT iptables -A whitelist -s 210.202.244.130 -j ACCEPT iptables -A whitelist -s 210.244.221.240 -j ACCEPT iptables-save > /etc/iptables.up.rules
完成後在 /etc/iptables.up.rules 檔案之內容如下:
# Generated by iptables-save v1.4.8 on Wed Dec 15 18:12:29 2010 *nat :PREROUTING ACCEPT [101:50660] :POSTROUTING ACCEPT [104:17692] :OUTPUT ACCEPT [104:17692] COMMIT # Completed on Wed Dec 15 18:12:29 2010 # Generated by iptables-save v1.4.8 on Wed Dec 15 18:12:29 2010 *mangle :PREROUTING ACCEPT [1294:303173] :INPUT ACCEPT [1294:303173] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1194:333833] :POSTROUTING ACCEPT [1236:339950] COMMIT # Completed on Wed Dec 15 18:12:29 2010 # Generated by iptables-save v1.4.8 on Wed Dec 15 18:12:29 2010 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [185:88716] :whitelist - [0:0] -A INPUT ! -i eth0 -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED -j ACCEPT -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT -A INPUT -s 10.0.0.0/8 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT -A INPUT -s 172.16.0.0/12 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT -A INPUT -s 192.168.0.0/16 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000 -j ACCEPT -A INPUT -s 10.0.0.0/8 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000 -j ACCEPT -A INPUT -s 172.16.0.0/12 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000 -j ACCEPT -A INPUT -s 192.168.0.0/16 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000 -j ACCEPT -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT -A INPUT -p udp -m multiport --dports 4569,5060 -j whitelist -A whitelist -s 66.54.140.46/32 -j ACCEPT -A whitelist -s 66.54.140.47/32 -j ACCEPT -A whitelist -s 210.202.244.130/32 -j ACCEPT -A whitelist -s 210.244.221.240/32 -j ACCEPT COMMIT # Completed on Wed Dec 15 18:12:29 2010
Code:
iptables -A INPUT -p udp -m udp -s 66.54.140.46/32 --dport 4569 -j ACCEPT iptables -A INPUT -p udp -m udp -s 66.54.140.47/32 --dport 4569 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT iptables -N door iptables -I door 1 -p udp --dport 5060 -m string --string "mysecretpass" --algo bm -m recent --set --name portisnowopen iptables -A INPUT -p udp --dport 5060 --source 210.202.244.130/32 -j ACCEPT iptables -A INPUT -p udp --dport 5060 --source 210.244.221.240/32 -j ACCEPT iptables -A INPUT -p udp --dport 5060 -m recent --rcheck --seconds 4000 --name portisnowopen -j ACCEPT iptables -A INPUT -p udp --dport 5060 -j door iptables -A INPUT -p udp --dport 5060 -j DROP iptables-save > /etc/iptables.up.rules
完成後在 /etc/iptables.up.rules 檔案之內容如下:
# Generated by iptables-save v1.4.8 on Fri Dec 17 14:15:15 2010 *nat :PREROUTING ACCEPT [67:8613] :POSTROUTING ACCEPT [3076:226290] :OUTPUT ACCEPT [3076:226290] COMMIT # Completed on Fri Dec 17 14:15:15 2010 # Generated by iptables-save v1.4.8 on Fri Dec 17 14:15:15 2010 *mangle :PREROUTING ACCEPT [41440:9679999] :INPUT ACCEPT [41440:9679999] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [38953:11437844] :POSTROUTING ACCEPT [39131:11476397] COMMIT # Completed on Fri Dec 17 14:15:15 2010 # Generated by iptables-save v1.4.8 on Fri Dec 17 14:15:15 2010 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [58:52600] :door - [0:0] -A INPUT ! -i eth0 -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED -j ACCEPT -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT -A INPUT -s 10.0.0.0/8 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT -A INPUT -s 172.16.0.0/12 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT -A INPUT -s 192.168.0.0/16 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000 -j ACCEPT -A INPUT -s 10.0.0.0/8 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000 -j ACCEPT -A INPUT -s 172.16.0.0/12 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000 -j ACCEPT -A INPUT -s 192.168.0.0/16 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000 -j ACCEPT -A INPUT -s 66.54.140.46/32 -p udp -m udp --dport 4569 -j ACCEPT -A INPUT -s 66.54.140.47/32 -p udp -m udp --dport 4569 -j ACCEPT -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT -A INPUT -s 210.202.244.130/32 -p udp -m udp --dport 5060 -j ACCEPT -A INPUT -s 210.244.221.240/32 -p udp -m udp --dport 5060 -j ACCEPT -A INPUT -p udp -m udp --dport 5060 -m recent --rcheck --seconds 4000 --name portisnowopen --rsource -j ACCEPT -A INPUT -p udp -m udp --dport 5060 -j door -A INPUT -p udp -m udp --dport 5060 -j DROP -A door -p udp -m udp --dport 5060 -m string --string "mysecretpass" --algo bm --to 65535 -m recent --set --name portisnowopen --rsource COMMIT # Completed on Fri Dec 17 14:15:15 2010
請參閱
[OSSLab]
OSSEC & FreePBX[OSSLab]
fail2ban for Asteriskhttp://www.voip-info.org/wiki/view/F...9+And+Asterisk
參考資料來源:
http://linux.vbird.org/linux_server/...e_firewall.php
http://www.pbxinaflash.com/forum/sho...?t=7560&page=2
http://www.pbxinaflash.com/forum/sho...ead.php?t=8735
http://www.sunshinenetworks.com.au/h...rks-knock.html
http://nerdvittles.com/?p=709
http://www.voip-info.org/wiki/view/F...9+And+Asterisk