Block SIP Auth Attacks with IPtables

If you’re running a SIP-based PBX system (Asterisk, FreeSWITCH, FreePBX, MikoPBX, etc.) exposed to the internet, you’re likely seeing constant authentication attacks from bots scanning for vulnerable systems. Here’s a simple, elegant firewall solution that stops these attacks before they ever reach your PBX.

The Problem

Traditional firewall approaches try to rate-limit authentication attempts or use tools like Fail2ban to block IPs after failed logins. While these work, they still allow attackers to hit your PBX authentication system, consuming resources and filling your logs.

The Solution

Instead of defending against authentication attempts, prevent them entirely. The key insight: legitimate SIP traffic to your PBX will include your proper SIP hostname, while automated scanners just probe random IP addresses.

By filtering at the firewall level to only allow SIP packets containing your legitimate hostname, attackers never even reach your authentication system.

Implementation

This works on any Linux-based system (Ubuntu, Debian, CentOS, etc.) and with any SIP PBX software.

Step 1: Create the Firewall Rules

Create or edit /etc/iptables/rules.v4:

sudo nano /etc/iptables/rules.v4

Add these rules (adjust hostnames and ports for your setup):

*filter
-F
-X
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BADSIP - [0:0]

# Allow loopback
-A INPUT -i lo -j ACCEPT

# Allow established and related connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# SIP Port Protection (adjust ports as needed: 5060, 5061, etc.)
# ONLY allow connections that contain your legitimate SIP hostname(s)
-A INPUT -p udp -m udp --dport 5060:5064 -m string --string "sip.yourdomain.com" --algo bm -j ACCEPT

# Add additional hostnames if you have multiple SIP domains
# -A INPUT -p udp -m udp --dport 5060:5064 -m string --string "pbx.anotherdomain.com" --algo bm -j ACCEPT

# Block all other SIP traffic (direct IP connections)
-A INPUT -p udp -m udp --dport 5060:5064 -j BADSIP

# RTP media ports - only for established connections
# Adjust the port range to match your PBX configuration (commonly 10000-20000)
-A INPUT -p udp -m udp --dport 10000:20000 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow ICMP (ping) with rate limiting
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# BADSIP chain - drop unwanted traffic
-A BADSIP -j DROP

COMMIT

Step 2: Install iptables-persistent

This ensures your rules persist across reboots:

sudo apt update
sudo apt install iptables-persistent

During installation, choose Yes to save current rules.

Step 3: Apply the Rules

sudo iptables-restore < /etc/iptables/rules.v4

Step 4: Verify the Firewall

Check that your rules are active:

sudo iptables -L -v -n

Step 5: Monitor Blocked Attacks

Watch the packet counter for the BADSIP chain:

watch -n 2 'sudo iptables -L BADSIP -v -n -x'

As the pkts counter increases, you’re blocking attack attempts in real-time.

Configuration Notes

Important settings to customize:

Hostname: Replace sip.yourdomain.com with your actual SIP hostname(s)
SIP Ports: Default is 5060-5064, adjust if you use different ports
RTP Ports: Default is 10000-20000, match this to your PBX configuration
Multiple Hostnames: Add additional -A INPUT rules for each legitimate hostname

To find your RTP port range:

FreePBX: Settings → Asterisk SIP Settings → RTP Settings
Asterisk: Check rtp.conf
FreeSWITCH: Check switch.conf.xml

Benefits

Stops attacks before they reach your PBX – No authentication attempts logged
Zero performance impact – Filtering happens at the firewall level
No false positives – Legitimate traffic always includes the hostname
Simple to maintain – No complex rate limiting or IP blacklists
Works with any SIP PBX – Asterisk, FreeSWITCH, FreePBX, MikoPBX, etc.

Testing

After implementation, you should see:

Legitimate calls working normally
Attack attempts in your PBX security logs dropping to near-zero
The BADSIP packet counter steadily increasing (blocked attacks)

Additional Security

While this firewall provides excellent protection, also ensure:

Strong SIP passwords (16+ random characters)
Disable guest/anonymous SIP if not needed
Keep your PBX software updated
Consider VPN access for administrative interfaces

Conclusion

By filtering SIP traffic based on hostname presence, you create a simple but highly effective barrier against automated attacks. Scanners probing random IP addresses are blocked instantly, while legitimate traffic flows through unimpeded.

This approach is far simpler than complex rate limiting or Fail2ban configurations, yet equally or more effective for stopping authentication attacks on SIP-based PBX systems.

Update: Running Debian 12/13 or newer Ubuntu? Check out my follow-up post on implementing this same protection with nftables instead of iptables!

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.