Protect voip servers

Started by _seb_, May 06, 2025, 08:14:10 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 06, 2025, 08:14:10 AM
Hello,

I'm planning to implement an OPNSense front-end for a VoIP server. I'm already using GEOIP country restrictions (GeoLite2-Country-CSV - Maxmind).

I'd now like to try to effectively block VoIP scans and targeted attacks. Is this possible ?

Do you have any feedback on this approach ?

Thank you for your replies.
May 06, 2025, 08:48:37 AM #1
I do that via a network group of ASN firewall aliases, because I know in which ASNs my clients live, even if they use dynamic IPs.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 06, 2025, 09:12:47 AM #2
Hi meyergru,

That's one approach, but it's going to pose a problem for me.

For example, if you have someone with a mobile phone and a SIP application, they can make calls from different ASNs...
May 06, 2025, 09:16:39 AM #3
I guess this is best implemented at the server in question. Starface for example does automatic blacklisting of brute force connection attempts.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 06, 2025, 09:24:41 AM #4
Yes, that's already the case; the server integrates this protection.

The idea of moving this protection to the firewall will make it easier to load the VOIP server.
Given that the firewall is at the front of the internet, I'm wondering if it's not possible to add this task to it in addition to GEOIP.
May 06, 2025, 09:24:53 AM #5 Last Edit: May 06, 2025, 11:05:00 AM by meyergru
In that case, you do not know the incoming IP beforehand, so you cannot more fine-grained based on that. Even the country restrictions could be a problem, in case of somebody travels to a blocked country (well, you might get away with blocking North Korea ;-) ).

Port-knocking is not a viable solution in this context, so IMHO, you can do but two things:

1. Obfuscating by using a non-standard SIP port (and potentially, UDP only).
2. If possible, by using IPv6 only. That way, you will avoid port scanning, but only, if you can hide the DNS name of your service as well - for example in a business context, not with a service that has to be publicly documented. The drawback could be (mobile) providers that only support IPv4. There are also very old SIP phones that only handle IPv4.
3. Blocking on the application level in case of failed connection attempts (fail2ban or their likes).
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 06, 2025, 09:36:05 AM #6
Completely agree regarding the use of SIP when traveling to countries blocked via the GEOIP rule...

1. This is simple to achieve but it will be more complicated in some networks to use VoIP because the port will certainly be filtered/closed as it is non-standard.
2. IPV6 is not deployed everywhere so it will not work 100%
3. Yes, the VOIP server integrates this.

In conclusion, OPNSense will not be useful to me for this part.
Print
Go Up Pages1
User actions