How to prevent toll-fraud on Cisco routers
Consider an IOS Cisco router configured as a SIP gateway. Here there are four different ways to secure the system and allow only certain IP addresses (endpoint) to send and receive calls. To accomplish this task is important to trust the VoIP call sources and we'll be able to prevent toll-fraud attacks.
!
! The CLI command "ip address trusted list" (from 15.1(2)T). In this example only
! the IP address 192.168.30.252 is trusted to contact the SIP process.
!
voice service voip
ip address trusted list
ipv4 192.168.30.252
allow-connections sip to sip
fax protocol pass-through g711alaw
sip
!
! The command "carrier-id source" can be used to bind a dial-peer to specific IP
! addresses.
voice source-group Trustaccess-list 75
carrier-id source carrier1
!
! With a translation-rule it is possible to create a prefix that act like
! a password for calls. This is a weak protection and you should use it in
! addiction to one of that above
!
translation-rule 1
Rule 0 ^7970 0
Rule 1 ^7971 1
Rule 2 ^7972 2
Rule 3 ^7973 3
Rule 4 ^7974 4
Rule 5 ^7975 5
Rule 6 ^7976 6
Rule 7 ^7977 7
Rule 8 ^7978 8
Rule 9 ^7979 9
!
dial-peer voice 20 pots
destination-pattern 797T
translate-outgoing called 1
carrier-id source carrier1
direct-inward-dial
port 0/2/0:15
forward-digits all
!
sip-ua
sip-server ipv4:192.168.10.252
!
access-list 75 permit 192.168.10.252
access-list 75 deny any
!
! You can use a standard access-list to block port 5060 in interfaces
! and protect the router. You will apply this ACL in the right interfaces.
!
access-list 121 remark --- Restrict SIP access from untrusted sources ---
access-list 121 deny udp any eq 5060 any
access-list 121 deny udp any any eq 5060
!
!
-----------------
This post is by Gianrico Fichera, March 2020, email gianrico at gianrico.com
Please help me to do a better job! If you find something wrong in this page, please advice!
Please help me to do a better job! If you find something wrong in this page, please advice!
Commenti
Posta un commento