VOIP Blacklist

How to install VoIPBL ?

ScopTEL PBX

If you are using ScopServ Telephony Server then simply go into the Web GUI on Telephony - Configuration - Security and enable the VoIP Blacklist support.

Asterisk and others PBX

For other Asterisk-based IP PBX installations, we recommend you follow these instructions to enable VoIP Blacklist support on your system and reduce attack.

Here's the instruction on how to configure VoIP Blacklist on a Linux based system. Simply skip this section if you are using ScopTEL PBX from ScopServ International Inc.
If you want to configure VoIP Blacklist on your own Asterisk PBX, then you will need to install Fail2ban . This is the only required dependency needed to run VoIP Blacklist on your server.

Steps

One Two Three Four Five Six

You must install Fail2ban on your server. You can refer to the Fail2ban website for detailed instructions and advanced configurations.

Create the /etc/cron.d/voipbl file to update rules each 4 hours

    # update blacklist each 4 hours
    0 */4 * * * * root /usr/local/bin/voipbl.sh

If you are using iptables then save the content in /usr/local/bin/voipbl.sh to automatically block offending IP Addresses, Subnet or Netblock. You must also do a chmod 700 on this file.

#!/bin/bash

# Check if chain exists and create one if required
if [ `iptables -L | grep -c "Chain BLACKLIST-INPUT"` -lt 1 ]; then
  /sbin/iptables -N BLACKLIST-INPUT
  /sbin/iptables -I INPUT 1 -j BLACKLIST-INPUT
fi

# Empty the chain
/sbin/iptables -F BLACKLIST-INPUT
wget -qO - http://www.voipbl.org/update/ |\
  awk '{print "if [ ! -z \""$1"\" -a \""$1"\" !=  \"#\" ]; then /sbin/iptables -A BLACKLIST-INPUT -s \""$1"\" -j DROP;fi;"}' | sh

Alternatively, if your system support ipset, you can use the following script: (thanks to Graham Barnett for his contribution)

#!/bin/bash

URL="http://www.voipbl.org/update/"

set -e
echo "Downloading rules from VoIP Blacklist"
wget -qO - $URL -O /tmp/voipbl.txt

echo "Loading rules..."

# Check if rule set exists and create one if required
if ! $(/usr/sbin/ipset list voipbl > /dev/null 2>&1); then
  ipset -N voipbl iphash
fi

#Check if rule in iptables
if ! $(/sbin/iptables -w --check INPUT -m set --match-set voipbl src -j DROP > /dev/null 2>&1); then
 /sbin/iptables -I INPUT 1 -m set --match-set voipbl src -j DROP
fi

# Create temporary chain
ipset destroy voipbl_temp > /dev/null 2>&1 || true
ipset -N voipbl_temp iphash

cat /tmp/voipbl.txt |\
  awk '{ print "if [ ! -z \""$1"\" -a \""$1"\"  != \"#\" ]; then /usr/sbin/ipset  -A voipbl_temp \""$1"\" ;fi;"}' | sh

ipset swap voipbl_temp voipbl
ipset destroy voipbl_temp || true

echo "Done! Rules loaded"

Add a new Fail2ban Jail on /etc/fail2ban/jail.conf

[asterisk-iptables]
action   = iptables-allports[name=ASTERISK, protocol=all]
           voipbl[serial=XXXXXXXXXX]

Now define the VoIP Blacklist actions for Fail2ban on /etc/fail2ban/action.d/voipbl.conf.

# Description: Configuration for Fail2Ban

[Definition]

actionban   = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>"
actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>"

[Init]

getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \
              --read-timeout=60 --retry-connrefused --output-document=- \
	      --user-agent=Fail2Ban

url = http://www.voipbl.org

Now you can restart the Fail2ban daemon to get protected agains VoIP Fraud!