Block SIP Authentication Attacks with nftables

If you’re running a SIP-based PBX system (Asterisk, FreeSWITCH, FreePBX, MikoPBX, etc.) exposed to the internet, you’re likely seeing constant authentication attacks from bots scanning for vulnerable systems.

In my previous article on blocking SIP attacks with iptables, I showed you how to use hostname-based filtering to stop these attacks before they reach your PBX. This guide covers the same protection strategy using nftables – the modern replacement for iptables that’s now the default on Debian 12/13, Ubuntu 22.04+, and other recent Linux distributions.

If you’re still running older systems with iptables, check out the iptables version of this guide instead.

The Problem

Traditional firewall approaches try to rate-limit authentication attempts or use tools like Fail2ban to block IPs after failed logins. While these work, they still allow attackers to hit your PBX authentication system, consuming resources and filling your logs.

The Solution

Instead of defending against authentication attempts, prevent them entirely. The key insight: legitimate SIP traffic to your PBX will include your proper SIP hostname, while automated scanners just probe random IP addresses.

By filtering at the firewall level to only allow SIP packets containing your legitimate hostname, attackers never even reach your authentication system.

Implementation

This guide is for modern Linux systems using nftables (Debian 12/13, Ubuntu 22.04+, and other recent distributions).

Step 1: Create the nftables Configuration File

Create a new file for your SIP protection rules:

bash

sudo mkdir -p /etc/nftables.d
sudo nano /etc/nftables.d/sip-protection.nft

Add these rules (adjust hostnames and ports for your setup):

bash

#!/usr/sbin/nft -f

# SIP Protection with Hostname Filtering
# Blocks direct IP attacks, only allows traffic with legitimate hostnames

table inet sip_filter {
    set allowed_sip_hosts {
        type inet_service
        flags interval
    }

    chain input {
        type filter hook input priority filter; policy drop;
        
        # Allow loopback
        iif lo accept
        
        # Allow established and related connections
        ct state established,related accept
        
        # SIP Port Protection (5060-5064)
        # Only allow packets containing your legitimate SIP hostname(s)
        udp dport 5060-5064 @th,160,144 "sip.yourdomain.com" accept
        
        # Add additional hostnames if you have multiple SIP domains
        # udp dport 5060-5064 @th,160,144 "pbx.anotherdomain.com" accept
        
        # Block all other SIP traffic (direct IP connections)
        udp dport 5060-5064 jump badsip
        
        # RTP media ports - only for established connections
        # Adjust the port range to match your PBX configuration (commonly 10000-20000)
        udp dport 10000-20000 ct state established,related accept
        
        # Allow ICMP (ping) with rate limiting
        ip protocol icmp limit rate 1/second accept
        icmpv6 type { echo-request, nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert } limit rate 1/second accept
    }
    
    chain badsip {
        # Log dropped packets
        log prefix "nftables-BADSIP: " level warn
        drop
    }
}

Step 2: Include in Main nftables Configuration

Edit your main nftables configuration:

bash

sudo nano /etc/nftables.conf

Add this line to include all custom rule files from the directory (usually near the end, before the final closing):

bash

include "/etc/nftables.d/*.nft"

This way, any future .nft files you add to /etc/nftables.d/ will be automatically loaded without needing to modify the main configuration again.

Step 3: Apply the Rules

Test the syntax first:

bash

sudo nft -c -f /etc/nftables.d/sip-protection.nft

If no errors, apply the rules:

bash

sudo systemctl restart nftables

Enable nftables to start on boot:

bash

sudo systemctl enable nftables

Step 4: Verify the Firewall

Check that your rules are active:

bash

sudo nft list ruleset | grep -A 20 sip_filter

Step 5: Monitor Blocked Attacks

Watch blocked attacks in real-time:

bash

# Using dmesg
sudo dmesg -w | grep "nftables-BADSIP"

# Or using journalctl
sudo journalctl -kf | grep "nftables-BADSIP"

See statistics:

bash

# View rule counters
sudo nft list chain inet sip_filter input

# Count blocked packets
sudo dmesg | grep -c "nftables-BADSIP"

# Show blocked IPs
sudo dmesg | grep "nftables-BADSIP" | grep -oP 'SRC=\K[0-9.]+' | sort | uniq -c | sort -rn

Configuration Notes

Important settings to customize:

1. Hostname: Replace sip.yourdomain.com with your actual SIP hostname(s)
2. SIP Ports: Default is 5060-5064, adjust if you use different ports
3. RTP Ports: Default is 10000-20000, match this to your PBX configuration
4. Multiple Hostnames: Add additional lines for each legitimate hostname

To find your RTP port range:

• FreePBX: Settings → Asterisk SIP Settings → RTP Settings
• Asterisk: Check rtp.conf
• FreeSWITCH: Check switch.conf.xml

Benefits

• Stops attacks before they reach your PBX – No authentication attempts logged
• Zero performance impact – Filtering happens at the firewall level
• No false positives – Legitimate traffic always includes the hostname
• Simple to maintain – No complex rate limiting or IP blacklists
• Works with any SIP PBX – Asterisk, FreeSWITCH, FreePBX, MikoPBX, etc.
• Modern and efficient – nftables is faster and more flexible than iptables

Testing

After implementation, you should see:

1. Legitimate calls working normally
2. Attack attempts in your PBX security logs dropping to near-zero
3. Blocked packets showing up in kernel logs with attacker IP addresses

Additional Security

While this firewall provides excellent protection, also ensure:

• Strong SIP passwords (16+ random characters)
• Disable guest/anonymous SIP if not needed
• Keep your PBX software updated
• Consider VPN access for administrative interfaces

Advantages of nftables over iptables

• Better performance – Single framework for IPv4, IPv6, and ARP
• Cleaner syntax – More readable and maintainable
• Atomic rule updates – All rules update at once, no temporary inconsistencies
• Better debugging – Enhanced tracing and monitoring capabilities
• Native sets and maps – More efficient IP/port matching
• Future-proof – Default on modern Linux distributions

Conclusion

By filtering SIP traffic based on hostname presence using nftables, you create a simple but highly effective barrier against automated attacks. Scanners probing random IP addresses are blocked instantly, while legitimate traffic flows through unimpeded.

This approach is far simpler than complex rate limiting or Fail2ban configurations, yet equally or more effective for stopping authentication attacks on SIP-based PBX systems.

Related: Running an older system? Check out my guide on blocking SIP authentication attacks with iptables for legacy firewall configurations.