Summary
In this experiment, we will be testing the effectiveness of the APIBAN and see if it can single-handedly protect our server from the bad SIP traffic. It will be integrated with Asterisk PBX running on CentOS 7.
We installed Asterisk-18-rc1 on Centos 7 to collect the stats for APIBAN. LibreNMS was used to monitor all the metrics of the server running Asterisk. Asterisk PBX was configured with very basic configuration which is as follow –
1. It accepts all the SIP invites, pick up call and play an audio file (tt-monkeys)
2. Several SIP peers were configured with no password on them.
The server in the current state without APIBAN or any firewall was left open for 2 days i.e from September 18, 2020 to September 20, 2020 , The following graphs show the metrics captured by LibreNMS during that time frame.
The asterisk console reported that there were 244535 calls processed in the 2 days without running APIBAN.
APIBAN – Community Sharing of Bad Actors
Next comes the APIBAN. APIBAN does not directly work with Asterisk. Instead, it is integrated with the Iptables firewall. But if you are using a SIP router like Kamailio and OpenSIPS, there’s a much smoother way to implement it. Check out APIBAN integration section on there official website.
Now it’s time to set up Apiban on our server but before we begin we first have to make sure that Iptables package is installed and properly working. To use Apiban we are first required to get the API key. It is as easy as entering your email and pressing enter. To get the key we need to visit the official website and click on get key. Follow the steps and you will see the key in your inbox.
After getting the key now we will get the GO client or the Bash Script for our system. Both of them work in the same way but GO client is preferred over the Bash script. Both of them are available on their GitHub repository.
- First, let’s create a directory under /usr/local/bin/ –
mkdir /usr/local/bin/apiban
- Download the Go Client(apiban-iptables-client) along with the config.json under the apiban directory which was created in the previous step
- Then edit the config.json file and added your API key.
- Make the client executable
chmod -x usr/local/bin/apiban/apiban-iptables-client
- And then execute the client
./usr/local/bin/apiban/apiban-iptables-client
A cron job was also added which will execute the client every 4 minutes to fetch new IP addresses from APIBAN that are marked as bad/spam. All the above-mentioned steps including the addition of crontab can be found on the GitHub repository
Changes made by the client are visible in the very first second. A new chain called Apiban was created in Iptables which blocked the access from hundreds of mailicious IP addresses to our server.
48 Hours with APIBAN – Metrics
The next set of metrics were collected from LibreNMS during a span of 2 days i.e from September 20, 2020 to September 22, 2020, with the client executing every 4 minutes.
The asterisk console reported that there were 244541 calls processed which means only 6 calls were processed in the last 2 days.
Conclusion
From
the above experiment, we can confidently conclude that APIBAN has
proved to be effective and has reduced the bad SIP traffic
exponentially. Without it, thousands of calls were made which
could’ve had cost users a lot and could’ve potentially wasted the
system resources by spamming requests. In the APIBAN logs, it was
seen that new IP addresses were being added to the list of banned
addresses quite frequently.
The metrics captured by LibreNMS
showed that the overall traffic from our server has reduced by a huge
margin and it followed the same trend in other sectors as well. Only
6 calls were processed by Asterisk for 2 days when APIBAN was
implemented as compared to 244535 calls processed when it was not
implemented for the same duration.
APIBAN does what it claims and does it perfectly. At the end, we’d like to
express our gratitude towards Fred Posner for developing and
maintaining an awesome and effective tool which benefits the whole
community.