48 Hours with APIBAN

Summary


In this experiment, we will be testing the effectiveness of the APIBAN and see if it can single-handedly protect our server from the bad SIP traffic. It will be integrated with Asterisk PBX running on CentOS 7.

We installed Asterisk-18-rc1 on Centos 7 to collect the stats for APIBAN. LibreNMS was used to monitor all the metrics of the server running Asterisk. Asterisk PBX was configured with very basic configuration which is as follow –
1. It accepts all the SIP invites, pick up call and play an audio file (tt-monkeys)
2. Several SIP peers were configured with no password on them.

The server in the current state without APIBAN or any firewall was left open for 2 days i.e from September 18, 2020 to September 20, 2020 , The following graphs show the metrics captured by LibreNMS during that time frame.

Overall Network Traffic from September 18, 2020, to September 20, 2020
Asterisk Calls from September 18, 2020, to September 20, 2020
SIP Peers from September 18, 2020, to September 20, 2020
Processor Usage from September 18, 2020, to September 20, 2020

The asterisk console reported that there were 244535 calls processed in the 2 days without running APIBAN.

APIBAN – Community Sharing of Bad Actors


Next comes the APIBAN. APIBAN does not directly work with Asterisk. Instead, it is integrated with the Iptables firewall. But if you are using a SIP router like Kamailio and OpenSIPS, there’s a much smoother way to implement it. Check out APIBAN integration section on there official website.

Now it’s time to set up Apiban on our server but before we begin we first have to make sure that Iptables package is installed and properly working. To use Apiban we are first required to get the API key. It is as easy as entering your email and pressing enter. To get the key we need to visit the official website and click on get key. Follow the steps and you will see the key in your inbox.

After getting the key now we will get the GO client or the Bash Script for our system. Both of them work in the same way but GO client is preferred over the Bash script. Both of them are available on their GitHub repository.

  • First, let’s create a directory under /usr/local/bin/
mkdir /usr/local/bin/apiban 
  • Download the Go Client(apiban-iptables-client) along with the config.json under the apiban directory which was created in the previous step
  • Then edit the config.json file and added your API key.
  • Make the client executable
chmod -x usr/local/bin/apiban/apiban-iptables-client 
  • And then execute the client
./usr/local/bin/apiban/apiban-iptables-client

A cron job was also added which will execute the client every 4 minutes to fetch new IP addresses from APIBAN that are marked as bad/spam. All the above-mentioned steps including the addition of crontab can be found on the GitHub repository

Changes made by the client are visible in the very first second. A new chain called Apiban was created in Iptables which blocked the access from hundreds of mailicious IP addresses to our server.

48 Hours with APIBAN – Metrics


The next set of metrics were collected from LibreNMS during a span of 2 days i.e from September 20, 2020 to September 22, 2020, with the client executing every 4 minutes.

Overall Network Traffic from September 20, 2020, to September 22, 2020, after installing APIBAN
Asterisk Calls from September 20, 2020, to September 22, 2020, after installing APIBAN
SIP Peers from September 20, 2020, to September 22, 2020, after installing APIBAN
Processor usage from September 20, 2020, to September 22, 2020, after installing APIBAN

The asterisk console reported that there were 244541 calls processed which means only 6 calls were processed in the last 2 days.

Conclusion


From the above experiment, we can confidently conclude that APIBAN has proved to be effective and has reduced the bad SIP traffic exponentially. Without it, thousands of calls were made which could’ve had cost users a lot and could’ve potentially wasted the system resources by spamming requests. In the APIBAN logs, it was seen that new IP addresses were being added to the list of banned addresses quite frequently.
The metrics captured by LibreNMS showed that the overall traffic from our server has reduced by a huge margin and it followed the same trend in other sectors as well. Only 6 calls were processed by Asterisk for 2 days when APIBAN was implemented as compared to 244535 calls processed when it was not implemented for the same duration.
APIBAN does what it claims and does it perfectly. At the end, we’d like to express our gratitude towards Fred Posner for developing and maintaining an awesome and effective tool which benefits the whole community.

Leave a Reply

Your email address will not be published. Required fields are marked *