Skip to main content

Fail2Ban on Steroids -- VoIP Blacklist

Posted by eeman on Fri, 03/02/2018

Attached is a document I wrote on how to implement the VoIP Blacklist into thirdlane. This works in a similar manner as the email RBLs in where a community updates a central database of known voip fraud. Instant gain blocking of 49k known IPs performing malicious fraud.


Submitted by mcampbell@1poi… on Fri, 03/02/2018 Permalink

Erik - thanks for the excellent how-to. I was able to quickly implement this on my server & look forward to less sipvicious, etc... activity.
--Matt

Submitted by matthewmalk248 on Thu, 03/15/2018 Permalink

Just noticed I'm getting a "iptables: Resource temporarily unavailable." error on this now, I double checked the script on the voipbl website, and I see some people reporting this error due to low RAM but I have 18GB Free. Anyone else get this?

Submitted by NickJ on Mon, 03/19/2018 Permalink

Just be wary of the quality of the data in the blocklist, anyone can add which is great, but comes with it's downsides.
We ran it on our core firewall and found someone had added 8.8.8.8 (Google's Public DNS) to the blocklist, which broke a stack of things.

Submitted by matthewmalk248 on Tue, 03/20/2018 Permalink

When running the script manually it showed on the cli, i can't find it in logs. Something weird has started happening with asterisk CPU being in the 200%'s and call audio getting choppy but I have to assume that's coincendental and I'll try to get some help with that separately.

Submitted by matthewmalk248 on Sun, 04/01/2018 Permalink

One quickie thing I found that if you include -n option in the "if [ `iptables -L | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then", the script wont waste a bunch of time & effort trying to resolve IPs.
I'm still trying to figure out the iptables: Resource temporarily unavailable. issue

Submitted by matthewmalk248 on Sun, 04/01/2018 Permalink

Has anyone confirmed that the full list is being inserted into their iptables on their Thirdlane install? I just noticed on both my VM & Physical Thirdlane install, the ack/insert part of the script is running extremely slow and it seems to time out after around 20 minutes and get to around '193.x.x.x' and '199.x.x.x' in the blacklist. When running this on a mix of 9 other systems (non-thirdlane) it completed the whole list in about 5-6 minutes Both Thirdlane systems have way more CPU, iNet speeds, & RAM than the other ones so I'm pretty confused.

I can run iptables -L -n during the script and see that the Thirdlane boxes seem take 3x the time per entry than the other Linux boxes. Should I try updating something?