Klaus Darilion
2009-Jan-09 16:36 UTC
[asterisk-users] lock SIP Account after too many failed logins
Hi! I want to detect brute-force password hacking attacks - thus if there are too many failed login attempts for a SIP account I want to "lock" this account. Does somebody have any ideas how this could be implemented? thanks klaus
Steve Howes
2009-Jan-09 16:49 UTC
[asterisk-users] lock SIP Account after too many failed logins
On 9 Jan 2009, at 16:36, Klaus Darilion wrote:> Hi! > > I want to detect brute-force password hacking attacks - thus if there > are too many failed login attempts for a SIP account I want to "lock" > this account. > > Does somebody have any ideas how this could be implemented?Bad plan? Could quite easily turn into a DoS.
Matthew Nicholson
2009-Jan-09 17:04 UTC
[asterisk-users] lock SIP Account after too many failed logins
On Fri, 2009-01-09 at 16:49 +0000, Steve Howes wrote:> On 9 Jan 2009, at 16:36, Klaus Darilion wrote: > > Hi! > > > > I want to detect brute-force password hacking attacks - thus if there > > are too many failed login attempts for a SIP account I want to "lock" > > this account. > > > > Does somebody have any ideas how this could be implemented? > > Bad plan? Could quite easily turn into a DoS.Could this be done at the IP tables level? Or maybe you could write a script that monitors the asterisk logs and detects failed login attempts then adds problematic IP address to hosts.deny. I know of several ssh blocking scripts that work this way. -- Matthew Nicholson Digium, Inc. | Software Developer
Michiel van Baak
2009-Jan-09 18:24 UTC
[asterisk-users] lock SIP Account after too many failed logins
On 11:04, Fri 09 Jan 09, Matthew Nicholson wrote:> On Fri, 2009-01-09 at 16:49 +0000, Steve Howes wrote: > > On 9 Jan 2009, at 16:36, Klaus Darilion wrote: > > > Hi! > > > > > > I want to detect brute-force password hacking attacks - thus if there > > > are too many failed login attempts for a SIP account I want to "lock" > > > this account. > > > > > > Does somebody have any ideas how this could be implemented? > > > > Bad plan? Could quite easily turn into a DoS. > > Could this be done at the IP tables level? Or maybe you could write a > script that monitors the asterisk logs and detects failed login attempts > then adds problematic IP address to hosts.deny. I know of several ssh > blocking scripts that work this way.I think fail2ban can do this. It has a configuration file where you can list your logs and regexp matches in this logfile. I use fail2ban on linux to detect those types of attacks on my ftp, imap, pop3, smtp+sasl, ssh etc etc It can take action by blocking the ip for a specified period. The block can be configured. iptables, hosts.deny, pf, ipfw, custom-script-to-send-block-rule-to-cisco-pix,whatever. http://www.fail2ban.org/wiki/index.php/Main_Page> > -- > Matthew Nicholson > Digium, Inc. | Software Developer > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Michiel van Baak michiel at vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"
Tim Nelson
2009-Jan-09 18:34 UTC
[asterisk-users] lock SIP Account after too many failed logins
Check out this howto: http://engineertim.com/?p=16 Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 ----- "Michiel van Baak" <michiel at vanbaak.info> wrote:> On 11:04, Fri 09 Jan 09, Matthew Nicholson wrote: > > On Fri, 2009-01-09 at 16:49 +0000, Steve Howes wrote: > > > On 9 Jan 2009, at 16:36, Klaus Darilion wrote: > > > > Hi! > > > > > > > > I want to detect brute-force password hacking attacks - thus if > there > > > > are too many failed login attempts for a SIP account I want to > "lock" > > > > this account. > > > > > > > > Does somebody have any ideas how this could be implemented? > > > > > > Bad plan? Could quite easily turn into a DoS. > > > > Could this be done at the IP tables level? Or maybe you could write > a > > script that monitors the asterisk logs and detects failed login > attempts > > then adds problematic IP address to hosts.deny. I know of several > ssh > > blocking scripts that work this way. > > I think fail2ban can do this. > It has a configuration file where you can list your logs and regexp > matches in this logfile. > > I use fail2ban on linux to detect those types of attacks on my ftp, > imap, pop3, smtp+sasl, ssh etc etc > > It can take action by blocking the ip for a specified period. > The block can be configured. iptables, hosts.deny, pf, ipfw, > custom-script-to-send-block-rule-to-cisco-pix,whatever. > > http://www.fail2ban.org/wiki/index.php/Main_Page > > > > > -- > > Matthew Nicholson > > Digium, Inc. | Software Developer > > > > > > _______________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com > -- > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > -- > > Michiel van Baak > michiel at vanbaak.eu > http://michiel.vanbaak.eu > GnuPG key: > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD > > "Why is it drug addicts and computer aficionados are both called > users?" > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
Dave Platt
2009-Jan-09 18:52 UTC
[asterisk-users] lock SIP Account after too many failed logins
>> I want to detect brute-force password hacking attacks - thus if there >> are too many failed login attempts for a SIP account I want to "lock" >> this account. > >> Does somebody have any ideas how this could be implemented?The usual method (I think) is to monitor the log files, and detect repeated patterns of suspicious actions occurring within a given period of time. A program such as logwatch (www.logwatch.org) might work, or you could write something in Perl. If you're logging via syslog, you can have syslog write new messages into a pipe as well as into a log file, and thus parse and evaluate new messages immediately with no buffering delay.> Bad plan? Could quite easily turn into a DoS.If the reaction is to lock the account, I agree, it might leave you prone to a denial-of-service attack. A better way would be to use iptables to start dropping packets from the IP address(es) involved in the attack... this will still allow the legitimate user of the account to access it. The block-IP-address-only method won't defend effectively against a "slow scan" botnet-based crack attempt, where each password-guessing attempt comes from a different IP address in the botnet. A lot of current SSH password-guess probes are of this sort. I don't think there's any terribly good defense against this except to select *good* passwords - e.g. 20 or more alphanumeric characters selected by a good random-number generator. To be pro-active, I'd suggest that you acquire a password quality-evaluation program (the Perl Data::Password class from CPAN might be a useful starting point) and check the password quality of all of your SIP accounts. Require a password change for any password of unacceptably low quality.