{"id":1028,"date":"2022-08-22T14:11:15","date_gmt":"2022-08-22T13:11:15","guid":{"rendered":"http:\/\/cyber-cottage.co.uk\/en\/?p=1028"},"modified":"2026-03-16T15:18:57","modified_gmt":"2026-03-16T15:18:57","slug":"keeping-the-bots-at-bay","status":"publish","type":"post","link":"https:\/\/www.cyber-cottage.co.uk\/?p=1028","title":{"rendered":"Keeping the Bots out and allowing your friends in"},"content":{"rendered":"\n

Since this post was originally written things have advanced, FreePBX has an integrated firewall with intrusion detection using Fail2Ban, and this should always be enabled even if system is on premise.<\/p>\n\n\n\n

Another major step forward in protection is APIBAN<\/a> this is a client program that helps prevent unwanted SIP traffic by identifying addresses of known bad actors before they attack your system. Bad bots are collected through globally deployed honeypots. To use APIBAN you will need a key these are obtained from here<\/a> . More details on API ban are here<\/a> if you are interested in using it in different situations.<\/p>\n\n\n\n

To simplify installation on Freepbx based systems I have simple script that downloads and install it, this can be downloaded here<\/a> or from the command line of the server as follows:<\/p>\n\n\n\n

wget https:\/\/freeaccesspublic.s3.eu-west-2.amazonaws.com\/apiban.sh\nMake it an executable : chmod +x  apiban.sh\nthen run the script : .\/apiban.sh your_api_key<\/pre>\n\n\n\n
If you dont add your APIKEY on the command line vi will open and you can add it manually. The script will then initially run the client which will take a few seconds to download the initial set of bots, then it will add a line to the crontab file and restart the cron daemon. the timing of the cronjob is randomised to be between every 4 and 22 minutes.<\/p>\n\n\n\n
<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
We have seen many Bots attacking Asterisk servers, Interestingly its not always good old sipvicious anymore but a Windows program called sipcli<\/a> and originating mainly from the US and Germany.<\/p>\n\n\n\n
Normally our iptables firewalls are updated but for some reason these keep getting through, So we have now based rules on the User-Agent in iptables as well<\/p>\n\n\n\n
Here are a few examples to get rid of many of the favourites<\/p>\n\n\n\n
-A INPUT -p udp -m udp --dport 5060 -m string --string \"User-Agent: friendly-scanner\" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string \"User-Agent: sipcli\" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string \"User-Agent: sipvicious\" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string \"User-Agent: VaxSIPUserAgent\" --algo bm --to 65535 -j DROP<\/span>

For Freepbx format add following to the Firewalls custom rules
<\/span>

-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"sip:a'or'3=3--@\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: PolycomSoundPointIP SPIP_550 UA 3.3.2.0413\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: Avaya IP Phone 1120E\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: Cisco-SIPGateway\/IOS-15.2.4.M5\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: PolycomVVX-VVX_401-UA5.4.1.18405\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: eyeBeam release 3006o stamp 17551\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: owenee\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: owenee\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: Custom\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: Custom\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: SIP\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: SIP\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: gazllove\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: gazllove\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: pplsip\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: pplsip\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: sipcli\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: sipcli\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: sipvicious\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: sipvicious\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: sip-scan\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: sip-scan\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: sipsak\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: sipsak\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: sundayddr\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: sundayddr\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: friendly-scanner\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: friendly-scanner\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: iWar\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: iWar\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: CSipSimple\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: CSipSimple\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: SIVuS\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: SIVuS\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: Gulp\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: Gulp\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: sipv\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: sipv\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: smap\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: smap\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: friendly-request\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: friendly-request\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: VaxIPUserAgent\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: VaxIPUserAgent\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: VaxSIPUserAgent\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: VaxSIPUserAgent\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: siparmyknife\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: siparmyknife\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp -m udp --dport 5060:5261 -m string --string \"User-Agent: Test\" --algo bm --to 65535 -j DROP
-A fpbxreject -p tcp -m tcp --dport 5060:5261 -m string --string \"User-Agent: Test\" --algo bm --to 65535 -j DROP
-A fpbxreject -p udp --dport 5060:5261 -m string --string \"REGISTER sip:server.domain.co.uk\" --algo bm -j ACCEPT
-A fpbxreject -p udp --dport 5060:5261 -m string --string \"REGISTER sip:\" --algo bm -j DROP
-A fpbxreject -p tcp --dport 5060:5261 -m string --string \"REGISTER sip:server.domain.co.uk\" --algo bm -j ACCEPT
-A fpbxreject -p tcp --dport 5060:5261 -m string --string \"REGISTER sip:\" --algo bm -j DROP
<\/pre>\n\n\n\n
<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Also its worth adding these ranges as little good will ever come from them<\/p>\n\n\n\n
# Ponytelecom ranges\n-A INPUT -s 62.210.0.0\/16 -j DROP\n-A INPUT -s 195.154.0.0\/16 -j DROP\n-A INPUT -s 212.129.0.0\/18 -j DROP\n-A INPUT -s 62.4.0.0\/19 -j DROP\n-A INPUT -s 212.83.128.0\/19 -j DROP\n-A INPUT -s 212.83.160.0\/19 -j DROP\n-A INPUT -s 212.47.224.0\/19 -j DROP\n-A INPUT -s 163.172.0.0\/16 -j DROP\n-A INPUT -s 51.15.0.0\/16 -j DROP\n-A INPUT -s 151.115.0.0\/16 -j DROP\n\n<\/pre>\n\n\n\n
# VITOX TELECOM\n-A INPUT -s 77.247.109.0\/255.255.255.0 -p udp -j DROP \n-A INPUT -s 185.53.88.0\/24 -p udp -j DROP \n-A INPUT -s 185.53.89.0\/24 -p udp -j DROP \n-A INPUT -s 37.49.224.0\/24 -p udp -j DROP \n-A INPUT -s 37.49.230.0\/24 -p udp -j DROP \n-A INPUT -s 37.49.231.0\/24 -p udp -j DROP \n-A INPUT -s 77.247.110.0\/255.255.255.0 -p udp -j DROP<\/pre>\n","protected":false},"excerpt":{"rendered":"
Since this post was originally written things have advanced, FreePBX has an integrated firewall with intrusion detection using Fail2Ban, and this should always be enabled even if system is on premise. Another major step forward in protection is APIBAN this is a client program that helps prevent unwanted SIP traffic by identifying addresses of known […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"content-type":"","advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[88,2,89,104,11,82],"tags":[23,35,39,40,43,48,51,68,69,73,100,76],"class_list":["post-1028","post","type-post","status-publish","format-standard","hentry","category-astsupport","category-blog","category-elxsupport","category-freepbx","category-knowledge","category-security-knowledge","tag-asterisk","tag-elastix","tag-firewalls","tag-freepbx","tag-gradwell","tag-iptables","tag-linux","tag-security","tag-sip","tag-support","tag-technical","tag-voip"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p5daZy-gA","jetpack_sharing_enabled":true,"jetpack_likes_enabled":false,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1028"}],"version-history":[{"count":19,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1028\/revisions"}],"predecessor-version":[{"id":3186,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1028\/revisions\/3186"}],"wp:attachment":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}