Enhancing security through blocking of IP addresses on a geographic basis

There are many approaches to implementing security in Asterisk, but for some system administrators it becomes a headache when certain users roam with a softphone or VoIP adapter and expect to be able to connect to the "home" Asterisk system from wherever they might be. Unless the user is connecting through a VPN, it may be impossible to know in advance what IP address they will be connecting from. This means you cannot pre-emptively set permit and deny settings, to only allow connections from an "approved" IP address. While enforcing strong passwords can be very helpful (and is pretty much essential) in this situation, and the use of Fail2Ban (with iptables) And Asterisk can also help improve security, additional security can be imposed through the use of geographic blocking. For example, if your users never travel outside their home country, then any connection from an IP address located outside the country would be considered extremely suspicious, even if the correct password is presented. Therefore, system administrators may want to consider automatically blocking connections from outside an "approved" area.

The purpose of this page is to list any scripts, software, or other mechanisms that attempt to enhance Asterisk security through the use of selective geographic blocking.

Available Software and Scripts

• SecAst www.generationd.com is a product which can restrict Asterisk asterisk based on Geographic IP location. It is compatible with IPv4 and IPv6, and allows you to restrict access by continent / country / region / city. SecAst is a commercial product but there is a free edition which is like fail2ban on steroids.
• Geolock is a simple experimental Perl script that can be set up as a cron job to run once per minute. It does the equivalent of a "sip show peers" or "iax2 show peers" command from the Asterisk CLI, examines the IP address of each non-local connected extension, and uses a Perl module and geographic database to determine where that IP address is located. If the connection is coming from outside the home country (the US by default, but that is easily changed), then an IPtables rule is created that drops connections from that IP address. The extension itself is not banned, so the valid user should still be able to connect from within the "approved" geographic area.

• Travelin’ Man is "a web- based, one-click Asterisk application that automatically reconfigures your Asterisk PBX to enable remote SIP phone access from your cellphone, iPad, remote PC, NetBook, or desktop telephone." It is said to only work with the "Incredible PBX" distribution. ...