October 14, 2021

666 words 4 mins read

Hide From Shodan

Hide From Shodan

If you are planning on exposing your private VoIP server to the public internet but are concerned about hacks and attacks, I might have one trick to help keep you hidden.

When looking for a website to answer your questions, most people turn to Google. On the other hand, when looking for applications, IPs or network ports exposed on the internet, Shodan.io is usually the first stop.

Shodan offers a service, dare I say, like Google, that scans the internet. But, unlike Google that scans primarily web pages, Shodan scans IP addresses and open ports, trying to detect services running behind these open ports either by grabbing service banners or by interpreting responses sent back from these services. Their database can also be queried using APIs, so for example if you are looking for servers on the internet running Asterisk 13, query away on Shodan, and get your list!

This service simplifies the work of hackers looking for a specific application version that has known vulnerabilities. Yes, scary, so please make sure your security patches are up to date!

So, if you are offering a SIP/VoIP service for your employees over the public internet or have your private IP PBX at your home exposed to the internet, then you pretty much are already in Shodan’s database …. But should you be?

Shodan uses SIP OPTIONS pings over both UDP and TCP to detect SIP devices so the obvious solution is not to respond (hide) from these requests. But how?

Let’s first start with the basics and by basics I mean using APIBAN. I mentioned it in my previous post Understanding VoIP Hackers and Fred Posner walks through the process of installing APIBAN in 5 minutes here. It is a free service that provides you with IP addresses of fraudsters gathered from honeypots globally. With Shodan constantly scanning IPs from different IP addresses globally, their IP addresses are already in the APIBAN database. Work has been done to make it so easy to integrate APIBAN with any application running on linux (by making use of the linux firewall) and SIP servers like Kamailio, Drachtio that at this stage there is absolutely no excuse not to be using it.

If for some reason you do not want to use APIBAN, an option is to drop all SIP OPTIONS pings on your SIP border device (I hope you are using Kamailio) but if that is also not an option (pun intended) because you have for example SIP trunks and are using OPTIONS as a way to signal that your device is up, then there one intersting solution.

To figure this solution out let’s take a look at the OPTIONS ping packet Shodan sends over UDP.

OPTIONS sip:nm SIP/2.0
Via: SIP/2.0/UDP nm;branch=foo
From: <sip:nm@nm>;tag=root
To: <sip:nm2@nm2>
Call-ID: 50000
Max-Forwards: 70
Content-Length: 0
Contact: <sip:nm@nm>
Accept: application/sdp

The headers that are consistent across board are Via, From, To, Call-ID, Contact and even CSeq! I am sure you now see where I am going with this … If your SIP border device can filter on header content (as it should. If not then please use Kamailio), filter and drop such a packet.

In Kamailio for example, if you would like to filter out an OPTIONS packet based on the user part of the From header, in this case ’nm’, it would be as simple as:

if($rm='OPTIONS' && $fU='nm') {

With Kamailio you can filter based on any content of any header so you can decide on any logic that makes most sense for you.

This solution however will be valid till the folks at Shodan decide to change their script so having this as a backup plan to using APIBAN is not a bad idea.

Running any service on the public internet has its risks. I still believe that any option you have to stay undetected should be used but of course that SHOULD NOT BE YOUR ONLY security policy.

Stay safe and keep flying Kamailio 😎