I’ve been using VoIP Blacklist to block unwelcome traffic to my Asterisk server.

The site comes with instructions for using with iptables.

I’m running it on FreeBSD with ipfw.

This assumes some familiarity with cron and ipfw.

Here’s the crontab entry I’m using:

# voipbl crontab, Charles Mercadal <mercadal+web@gmail.com>
# revision: 1.2
1 */4 * * *     sleep `jot -r 1 0 3540`; curl -s "http://voipbl.org/update/" | awk  '{if (NR!=1) {print}}' > /tmp/voipblip.txt && ipfw table 5060 list | awk '{print $1}' > /tmp/table5060-current.txt && awk '{if (f==1) { r[$0] } else if (! ($0 in r)) { print $0 } } ' f=1 /tmp/table5060-current.txt f=2 /tmp/voipblip.txt > /tmp/records_to_add.txt; xargs -n1 ipfw table 5060 add < /tmp/records_to_add.txt > /dev/null 2>&1; bzip2 -f /tmp/records_to_add.txt; bzip2 -f /tmp/table5060-current.txt; bzip2 -f /tmp/voipblip.txt

What it does

  1. The sleep portion of the statement makes it delay for a while, so the request doesn’t hit at the top of the hour every time it runs.
  2. curl downloads the blacklist.
  3. the awk statement it’s piped to strips the first line of the output.
  4. Then, the current ipfw table list is exported to /tmp/table5060-current.txt.
  5. awk strips the first line of that output.
  6. The next awk statement removes any records already in the table from the most recently downloaded list.
  7. xargs does the heavy lifting of adding new records that weren’t already in ipfw’s table 5060.
  8. A few bzip2 statements to keep the data on /tmp, in case it needs later review before the next run.

Making it drop traffic

All the stuff above does, in short, is to grab new blacklist entries and put them in an ipfw table. You still need to tell ipfw to block the items in the table with something like:

ipfw add 03050 deny udp from table(5060) to any 5060 in

… assuming your Asterisk server is running on port 5060.

A couple random notes

  • If your cron is running with jitter enabled for root’s jobs (Vixie cron has this option) then you can remove all the the initial sleep stuff from the crontab entry.
  • I set up my entry that drops traffic to only drop UDP. I have yet to see a tcp sip bruteforce. But you could change to deny all ip traffic on 5060 if you’re paranoid.
  • Using the jot command assumes you’re running BSD. Which is likely, since ipfw seems to be standard only on FreeBSD these days.

Revisions

  • 1.1: Added a revision number, in case you want to stop back and look for updates in the future.
  • 1.2: Fixed a (small) bug where the previous script would always try to re-add the first record in the ipfw table back into ipfw. No functional issues, but not strictly necessary/confusing to someone trying to read the code.