How to secure your ASTPP server

I installed new instance of ASTPP 4.0.1 in the cloud and so far it is working great and I am happy that it is working correctly. Now, problem is, since it is hosted on a public ip (i don’t have a FQDN), I have started getting unwanted REGISTER and INVITE attacks, plus a lot of unwanted traffic from the web. I have tried using fail2ban, voipbl.org, every conceivable way, but the offending ips are still there (maybe wrong fail2ban and voipbl settings??) . I read somewhere about using the ACL, but I haven’t figured it out yet how to do it. Anyone experienced with that? I have reached a point where I am considering adding a opensips or kamailio sip proxy infront of the ASTPP, but I do not know how to integrate them with ASTPP. Any help?

Kind regards.

Hello @Karim ,
By default ASTPP also install fail2ban if you allow during installation and help automatically to avoid such cases. Even you can check there is one function in installation script.

Apart from that i found one useful link which give more details related to same manually: Fail2ban Configuration for Secure Servers: One Step at a Time

Beside ACL you can refer this: Access Control List (ACL) - FreeSWITCH - Confluence

Thanks @hemdip.badani , I realized fail2ban is automatically installed and has the sshd jail present by default in ASTPP. It is confusing how the sshd jail is active without having the line “enabled = true” in its description in jail.conf file. How does one activate the other jails? I tried copying jail.conf into a new file jail.local and add a line “enabled = true” within the particular jail eg [freeswitch], but that broke fail2ban.

I will check out the link about ACL to have a better understanding, thanks.

Have you ever tried using opensips or kamailio as a sip edge proxy?

@Karim ,

Not much aware with fail2ban logic but may be you can reinstall complete ASTPP from scratch and check.

I not tried to use opensips or kamailio as aa sip edge proxy, but you can try as many members doing or may be it would be great if someone else also give insights if they have idea and share here :slight_smile:

I dove deeply into the fail2ban documentation and realized that later versions of fail2ban has a different way to customize and activate custom jails. So far I’m getting the jist of it because the attacks have reduced significantly, though still not completely comfortable that I have decently secured the system. I will keep everyone updated.

Anyone else with insights on how to use kamailio, opensips as an edge proxy for ASTPP?

Hello @Karim ,

Found one link from previous post of our forum, if it useful to you OpenSIPS configuration for 2 or more FreeSWITCH installs - FreeSWITCH - Confluence