RouterOS and asterisk

Qnewbie

As a result of constantly attacks to my IP01, I am planning to set up a firewall in the middle.
Bought RB750G last summer and haven't used it (planned as VPN client but never succeeded). It seems to be much advanced than home router.

Anyone has experience with RouterOS and asterisk setup for the following (basic) objectives?
1. Protect IP01 from attacks.
2. IP01 works as before(outside normal users should be able to access my IP01).

TIA.

bubblestar

IP01 本身的防禦能力不太高吧!

Atom PC Asterisk 我自己有用Fail2ban，但個人認為最前第一防線應在Router作設定。你用RouterOS 是正確的路向。

RouterOS 好像雯雯都有，不知她是否可提供作法。

一些參考資料:

MikroTik 官方 wiki (http://wiki.mikrotik.com/wiki/Main_Page)
很多技術文章，值得花時間

大陸網站：
RouterOS 教程 u.115.com (http://www.google.com/search?hl= ... i=&aql=&oq=)
感謝 RouterOS 兄提供


論壇討論文章：

讓 MikroTik RouterOS 支援 NAT loopback - PCZONE (http://www.pczone.com.tw/vbb3/thread/16/153188/)
讓 MikroTik RouterOS 支援 NAT loopback - Mobile01 (http://www.mobile01.com/topicdet ... p;t=2079471&p=1)

MikroTik 官方 wiki 文章：

Forwarding a port to an internal IP (http://wiki.mikrotik.com/wiki/Forwarding_a_port_to_an_internal_IP)
最基本的開 port

Home Firewall (http://wiki.mikrotik.com/wiki/Home_Firewall)
家用 Firewall 的 scripts，不過記得把 scripts 裡面的範例 ip 改成自己家裡的

Hairpin NAT (http://wiki.mikrotik.com/wiki/Hairpin_NAT)
NAT loopback 的解法

Bridge Filter - Blocking DHCP Traffic (http://wiki.mikrotik.com/wiki/Br ... ocking_DHCP_Traffic)
防止區網內其他 DHCP server 干擾

How to secure a network using ARP (http://wiki.mikrotik.com/wiki/How_to_secure_a_network_using_ARP)
防止未授權電腦連上網路

How to Block a Customer and Tell him to Pay the Bill (http://wiki.mikrotik.com/wiki/How_to_Block_Customer)
好玩的功能，房東適用，先斷你網路，繳了錢再說 XD

角色

1. You have to disable port 22
2. Reduce or even remove the message written on the flash
3. Set a particular option which does not let the intruder know the response message is no valid extensoion or invalid password. Only simple error is given to the intruder.


YH

bubblestar

In IP01, allowguests=no should aslo be set and PIN can be applied in certain important (pay) trunks.

ttmuskie

I use non-standard port.

Qnewbie

Currently, I set
1. allowguests=no
2. simple error "No matching peer found" is given

However, the attacks come always back a few days after changing ip address with 30 register trials per minutes. IP01 cannot work properly as CPU load is too high

ckleea

回復 6# Qnewbie

Too bad. What is your router model?

Should try to set up a better firewall at the router level and use ports of your choice for incoming calls and registration.

Please also check your internal network PCs has problems such as viruses or other things.

My experience in the past was that hackers tried to come for a while and if your security has been strengthened, the chance of coming back is lower and less frequent. I also immediately put their IPs at the router level so that they were in no way to get a response from my asterisk. This is very important. Their IPs drop immediately means they know nothing of my side. They cannot try other methods.

In IP01, there is no way to set up like this. Also as a "server" or a linux based device, hacker already knows its existence.

雯雯

回復 1# Qnewbie

RouterOS和IP01我都有, 不過RouterOS我是用來做AP, 而IP01我是用VPN去connect (基本上我現時所有的Asterisk都是用VPN去connect).

你想在RouterOS set哪種VPN client? 附件這個file我之前試過跟着來set PPTP VPN Server是work的, 供你參考!

5200891623432.rar (996.38 KB)

下載次數: 1580

2012-1-9 23:12

Qnewbie

回復 8# 雯雯

The file is corrupted The VPN does not work, yet.

I set up the RB750G in the frontline. Put port forwarding rules for 5060 & 10000-20000. All traffic from intruders' ip are dropped.
Both incoming call and outgoing call work!

Add the block-list by hand. Missing the dynamic black-list add-on feature as fail2ban.

Qnewbie

Mask your outgoing packets as from the WAN:

/ip firewall src-nat add action=masquerade out-interface=WAN

Port forwarding for 5060 & 10000-20000(IP01 ip is 192.168.88.100):

/ip firewall nat add chain=dstnat protocol=udp dst-port=5060 action=dst-nat to-addresses=192.168.88.100 to-ports=5060
/ip firewall nat add chain=dstnat protocol=udp dst-port=10000-20000 action=dst-nat to-addresses=192.168.88.100 to-ports=10000-20000

Drop intruders(range 188.161.208.1-188.161.211.254, add more as you find more):

/ip firewall address-list add list=blacklist address=188.161.208.1-188.161.211.254
/ip firewall filter add chain=input src-address-list=blacklist action=drop

雯雯

我換了1部機upload也是有問題, 請壇主處理!

ckleea

回復 10# Qnewbie

You are now in the right track.

Qnewbie

As the black_list of hacker's ip addresses increases, it is hard to handle it.

Let's think the opposite: white list! I have 10 sip providers and a few extensions. Hence this white list would be much easier to handle.  

Divide the white-list into two groups:
#1. DNS resolvable, like, sip providers, your client's dyndns address(es) etc.
#2. Static ip addresses, like your local ip address pool. (which cannot be find out through DNS)

For the DNS resolvable group:
Copy the script from RouterOS's wiki(http://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules, be aware of the Ooops too):

/system script add \
   name=resolvehostnames policy=write,read \
   source="# define variables\r\
   \n:local list\r\
   \n:local comment\r\
   \n:local newip\r\
   \n\r\
   \n# Loop through each entry in the address list.\r\
   \n:foreach i in=[/ip firewall address-list find] do={\r\
   \n\r\
   \n# Get the first five characters of the list name\r\
   \n  :set list [:pick [/ip firewall address-list get \$i list] 0 5]\r\
   \n\r\
   \n# If they're 'host_', then we've got a match - process it\r\
   \n  :if (\$list = \"host_\") do={\r\
   \n\r\
   \n# Get the comment for this address list item (this is the host name to u\
   se)\r\
   \n    :set comment [/ip firewall address-list get \$i comment]\r\
   \n\r\
   \n# Resolve it and set the address list entry accordingly.\r\
   \n    :set newip [:resolve \$comment]\r\
   \n    /ip firewall address-list set \$i address=\$newip\r\
   \n    }\r\
   \n  }"

And scheduler(run each hour, you can change the frequency if you like):

/system scheduler add \
   comment="" disabled=no interval=1h name=updatehostnames on-event=resolvehostnames \
   start-date=jan/01/1970 start-time=00:00:00

Add your host name to your list(listname must started with host_), for instance, you like to add mouselike.org to your list host_allowedlist:

/ip firewall address-list add address=0.0.0.0 comment=mouselike.org list=host_allowedlist

After you add all your host names to the list, run the script resolvehostnames.

For the static ip addresses, just use address-list add command. For instance, you add your IP01(192.168.88.100) to allowed_staticiplist:

/ip firewall address-list add address=192.168.88.100 comment=IP01 list=allowed_staticiplist

Done for adding allowed ip address list!

Next step is to allow white list to use port 5060(The first statement is to put all udp 5060 to extra control chain named allowedsip):

/ip firewall filter add chain=forward action=jump jump-target=allowedsip protocol=udp dst-port=5060
/ip firewall filter add chain=allowedsip action=accept protocol=udp src-address-list=host_allowedlist dst-port=5060
/ip firewall filter add chain=allowedsip action=accept protocol=udp src-address-list=allowed_staticiplist dst-port=5060

And drop all others!

/ip firewall filter add chain=allowedsip action=drop

Now those are not in the allowed list would not be able to launch attack through udp port 5060!

Qnewbie

Hope the white-list protection works.

Another field is the QoS. As ADSL, the bandwidth is always a problem(OK, for those who has dual-wan, 100M etc., plz ignore this issue). Following the wiki from Mikrotik. Here is my QoS setup:
1. Mark packets.
2. Define queue tree.
3. Define priority in queue tree.

1. For RTP traffic, it is hard to mark with layer 7 protocol. I simply mark the packets to/from the asterisk ip(here is 192.168.88.100) as voip_in and voip_out.

/ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=voip_in passthrough=no  dst-address=192.168.88.100 in-interface=WAN
add chain=postrouting action=mark-packet new-packet-mark=voip_out passthrough=no  src-address=192.168.88.100 out-interface=WAN

Other traffic is marked by

/ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=others_in passthrough=no in-interface=WAN
add chain=postrouting action=mark-packet new-packet-mark=others_out passthrough=no out-interface=WAN

2. Define your queue tree:
Note: change Max upload and download speed under DSL_IN(11M in) and DSL_OUT(600k out) (global-in gloabal-out) after your xDSL:

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=\
   10000000 max-limit=11000000 name=DSL_IN packet-mark="" parent=global-in \
   priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500000 \
   max-limit=600000 name=DSL_OUT packet-mark="" parent=global-out priority=1 \
   queue=default

3. Define your priorities:

/queue tree
add name=voip_in packet-mark=voip_in parent=DSL_IN priority=3
add name=voip_out packet-mark=voip_out parent=DSL_OUT priority=3
add name=remaining_in packet-mark=others_in parent=DSL_IN priority=6
add name=remaining_out packet-mark=others_out parent=DSL_OUT priority=6

The drawback with this QoS is the memory is shrinking with 2M(12M left)!

Reference:
http://wiki.mikrotik.com/wiki/Ba ... n_layer-7_protocols
http://wiki.mikrotik.com/wiki/Voip

Qnewbie

The marking of outgoing rtp works, but not the incoming rtp as the rtp stream is from another ip...

This QoS is not perfect...