asterisk users - Jan 2009 - lock SIP Account after too many failed logins

Hi!

I want to detect brute-force password hacking attacks - thus if there 
are too many failed login attempts for a SIP account I want to "lock" 
this account.

Does somebody have any ideas how this could be implemented?

thanks
klaus

On 9 Jan 2009, at 16:36, Klaus Darilion wrote:
> Hi!
>
> I want to detect brute-force password hacking attacks - thus if there
> are too many failed login attempts for a SIP account I want to
"lock"
> this account.
>
> Does somebody have any ideas how this could be implemented?
Bad plan? Could quite easily turn into a DoS.

On Fri, 2009-01-09 at 16:49 +0000, Steve Howes wrote:
> On 9 Jan 2009, at 16:36, Klaus Darilion wrote:
> > Hi!
> >
> > I want to detect brute-force password hacking attacks - thus if there
> > are too many failed login attempts for a SIP account I want to
"lock"
> > this account.
> >
> > Does somebody have any ideas how this could be implemented?
> 
> Bad plan? Could quite easily turn into a DoS.
Could this be done at the IP tables level?  Or maybe you could write a
script that monitors the asterisk logs and detects failed login attempts
then adds problematic IP address to hosts.deny.  I know of several ssh
blocking scripts that work this way.

-- 
Matthew Nicholson
Digium, Inc. | Software Developer

On 11:04, Fri 09 Jan 09, Matthew Nicholson wrote:
> On Fri, 2009-01-09 at 16:49 +0000, Steve Howes wrote:
> > On 9 Jan 2009, at 16:36, Klaus Darilion wrote:
> > > Hi!
> > >
> > > I want to detect brute-force password hacking attacks - thus if
there
> > > are too many failed login attempts for a SIP account I want to
"lock"
> > > this account.
> > >
> > > Does somebody have any ideas how this could be implemented?
> > 
> > Bad plan? Could quite easily turn into a DoS.
> 
> Could this be done at the IP tables level?  Or maybe you could write a
> script that monitors the asterisk logs and detects failed login attempts
> then adds problematic IP address to hosts.deny.  I know of several ssh
> blocking scripts that work this way.
I think fail2ban can do this.
It has a configuration file where you can list your logs and regexp
matches in this logfile.

I use fail2ban on linux to detect those types of attacks on my ftp,
imap, pop3, smtp+sasl, ssh etc etc

It can take action by blocking the ip for a specified period.
The block can be configured. iptables, hosts.deny, pf, ipfw,
custom-script-to-send-block-rule-to-cisco-pix,whatever.

http://www.fail2ban.org/wiki/index.php/Main_Page
> 
> -- 
> Matthew Nicholson
> Digium, Inc. | Software Developer
> 
> 
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
-- 

Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called
users?"

Check out this howto: http://engineertim.com/?p=16

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

----- "Michiel van Baak" <michiel at vanbaak.info> wrote:
> On 11:04, Fri 09 Jan 09, Matthew Nicholson wrote:
> > On Fri, 2009-01-09 at 16:49 +0000, Steve Howes wrote:
> > > On 9 Jan 2009, at 16:36, Klaus Darilion wrote:
> > > > Hi!
> > > >
> > > > I want to detect brute-force password hacking attacks - thus
if
> there
> > > > are too many failed login attempts for a SIP account I want
to
> "lock"
> > > > this account.
> > > >
> > > > Does somebody have any ideas how this could be implemented?
> > > 
> > > Bad plan? Could quite easily turn into a DoS.
> > 
> > Could this be done at the IP tables level?  Or maybe you could write
> a
> > script that monitors the asterisk logs and detects failed login
> attempts
> > then adds problematic IP address to hosts.deny.  I know of several
> ssh
> > blocking scripts that work this way.
> 
> I think fail2ban can do this.
> It has a configuration file where you can list your logs and regexp
> matches in this logfile.
> 
> I use fail2ban on linux to detect those types of attacks on my ftp,
> imap, pop3, smtp+sasl, ssh etc etc
> 
> It can take action by blocking the ip for a specified period.
> The block can be configured. iptables, hosts.deny, pf, ipfw,
> custom-script-to-send-block-rule-to-cisco-pix,whatever.
> 
> http://www.fail2ban.org/wiki/index.php/Main_Page
> 
> > 
> > -- 
> > Matthew Nicholson
> > Digium, Inc. | Software Developer
> > 
> > 
> > _______________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com
> --
> > 
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> -- 
> 
> Michiel van Baak
> michiel at vanbaak.eu
> http://michiel.vanbaak.eu
> GnuPG key:
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
> 
> "Why is it drug addicts and computer aficionados are both called
> users?"
> 
> 
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

>> I want to detect brute-force password hacking attacks - thus if there
>> are too many failed login attempts for a SIP account I want to
"lock"
>> this account.
> 
>> Does somebody have any ideas how this could be implemented?
The usual method (I think) is to monitor the log files, and
detect repeated patterns of suspicious actions occurring
within a given period of time.

A program such as logwatch (www.logwatch.org) might work, or
you could write something in Perl.  If you're logging via
syslog, you can have syslog write new messages into a pipe
as well as into a log file, and thus parse and evaluate
new messages immediately with no buffering delay.
> Bad plan? Could quite easily turn into a DoS.
If the reaction is to lock the account, I agree, it might
leave you prone to a denial-of-service attack.

A better way would be to use iptables to start dropping
packets from the IP address(es) involved in the attack... this
will still allow the legitimate user of the account to access
it.

The block-IP-address-only method won't defend effectively
against a "slow scan" botnet-based crack attempt, where each
password-guessing attempt comes from a different IP address
in the botnet.  A lot of current SSH password-guess probes are
of this sort.  I don't think there's any terribly good defense
against this except to select *good* passwords - e.g. 20 or more
alphanumeric characters selected by a good random-number generator.

To be pro-active, I'd suggest that you acquire a password
quality-evaluation program (the Perl Data::Password class
from CPAN might be a useful starting point) and check the
password quality of all of your SIP accounts.  Require a
password change for any password of unacceptably low quality.