{"id":1193,"date":"2016-01-12T13:14:53","date_gmt":"2016-01-12T12:14:53","guid":{"rendered":"http:\/\/diablo.craem.net\/?p=1193"},"modified":"2016-01-12T13:14:53","modified_gmt":"2016-01-12T12:14:53","slug":"protegiendo-nuestro-gateway-sip-parte-2","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=1193","title":{"rendered":"Protegiendo nuestro gateway sip, parte 2"},"content":{"rendered":"<p>Como ya he comentado en otras ocasiones, la mayor\u00ed\u00ada de ataques a pbx SIP abiertas a internet, est\u00e1n realizados por software tipo <em>sipVicious<\/em> y similares.<br \/>\nSi tenemos la posibilidad de usar un firewall con inspecci\u00f3n a <em>layer 7<\/em>, podemos filtrar los <em>User-Agent<\/em>, tal y como expliqu\u00e9 en la entrada anterior.<br \/>\nAhora, supongamos que tenemos un mikrotik, con RouterOS 6.x&#8230;<br \/>\n<code><br \/>\n\/ip firewall layer7-protocol<br \/>\nadd name=sip regexp=\"^.+(sundayddr).*\\$\"<br \/>\nadd name=sip1 regexp=\"^.+(sipsak).*\\$\"<br \/>\nadd name=sip2 regexp=\"^.+(sipvicious).*\\$\"<br \/>\nadd name=sip3 regexp=\"^.+(friendly-scanner).*\\$\"<br \/>\nadd name=sip4 regexp=\"^.+(iWar).*\\$\"<br \/>\nadd name=sip5 regexp=\"^.+(sip-scan).*\\$\"<br \/>\nadd name=sip6 regexp=\"^.+(Ozeki).*\\$\"<br \/>\nadd name=sip8 regexp=\"^.+(sip-cli).*\\$\"<br \/>\nadd name=sip7 regexp=\"^.+(VaxSIPUserAgent).*\\$\"<br \/>\nadd name=sip9 regexp=\"^.+(sipcli).*\\$\"<br \/>\n\/ip firewall filter<br \/>\nadd action=fasttrack-connection chain=forward connection-state=established,related<br \/>\nadd chain=forward connection-state=established,related<br \/>\nadd action=drop chain=forward connection-state=invalid<br \/>\nadd action=drop chain=forward comment=voip_sundayddr_deny dst-address-list=AUTH layer7-protocol=sip<br \/>\nadd action=drop chain=forward comment=voip_sipsak_deny dst-address-list=AUTH layer7-protocol=sip1<br \/>\nadd action=drop chain=forward comment=voip_sipvicious_deny dst-address-list=AUTH layer7-protocol=sip2<br \/>\nadd action=drop chain=forward comment=voip_friendly-scanner_deny dst-address-list=AUTH layer7-protocol=sip3<br \/>\nadd action=drop chain=forward comment=voip_iWar_deny dst-address-list=AUTH layer7-protocol=sip4<br \/>\nadd action=drop chain=forward comment=voip_sip-scan_deny dst-address-list=AUTH layer7-protocol=sip5<br \/>\nadd action=drop chain=forward comment=voip_Ozeki_deny dst-address-list=AUTH layer7-protocol=sip6<br \/>\nadd action=drop chain=forward comment=voip_VaxSIPUserAgent_deny dst-address-list=AUTH layer7-protocol=sip7<br \/>\nadd action=drop chain=forward comment=voip_sip-cli_deny dst-address-list=AUTH layer7-protocol=sip8<br \/>\nadd action=drop chain=forward comment=voip_sipcli_deny dst-address-list=AUTH layer7-protocol=sip9<br \/>\n<\/code><br \/>\nhay que tener activado el connection Tracking activado.<br \/>\nenjoy \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Como ya he comentado en otras ocasiones, la mayor\u00ed\u00ada de ataques a pbx SIP abiertas a internet, est\u00e1n realizados por software tipo sipVicious y similares. Si tenemos la posibilidad de usar un firewall con inspecci\u00f3n a layer 7, podemos filtrar los User-Agent, tal y como expliqu\u00e9 en la entrada anterior. Ahora, supongamos que tenemos un [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,5,6],"tags":[93,107,192],"class_list":["post-1193","post","type-post","status-publish","format-standard","hentry","category-asterisk","category-linux","category-mikrotik","tag-iptables","tag-mikrotik","tag-voip"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/1193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1193"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/1193\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}