asterisk users - Jun 2010 - Find a way to block brute force attacks.

Hello list.

I'm trying to find a way to block any ip that tries to login more than three
times with the wrong password and try to log in three different extensions. For
I have suffered some brute force attacks on my asterisk in the morning
period.

The idea would be: Any ip with three attempts without success to log into an
extension is blocked.

Is there any way to accomplish this directly by the asterisk? Or is there
some kind of asterisk spit this information via the AMI?

I was wondering to make a Java program to listen to the AMI and create a
rule in iptables for ip in specific.

Does anyone have any suggestions?


Thanks,
Rodrigo Lang.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100629/02e6e5a9/attachment.htm

There are some good suggestions here as a starting point:

http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/

Rgds,

mcr

On 29 June 2010 15:39, Rodrigo Lang <rodrigoferreiralang at gmail.com>
wrote:
> Hello list.
>
> I'm trying to find a way to block any ip that tries to login more than
> three times with the wrong password and try to log in three different
> extensions. For I have suffered some brute force attacks on my asterisk in
> the morning period.
>
> The idea would be: Any ip with three attempts without success to log into
> an extension is blocked.
>
> Is there any way to accomplish this directly by the asterisk? Or is there
> some kind of asterisk spit this information via the AMI?
>
> I was wondering to make a Java program to listen to the AMI and create a
> rule in iptables for ip in specific.
>
> Does anyone have any suggestions?
>
>
> Thanks,
> Rodrigo Lang.
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100629/23168f32/attachment.htm

Rodrigo Lang wrote:
> Hello list.
> 
> I'm trying to find a way to block any ip that tries to login more than 
> three times with the wrong password and try to log in three different 
> extensions. For I have suffered some brute force attacks on my asterisk 
> in the morning period.
> 
> The idea would be: Any ip with three attempts without success to log 
> into an extension is blocked.
> 
> Is there any way to accomplish this directly by the asterisk? Or is 
> there some kind of asterisk spit this information via the AMI?
> 
> I was wondering to make a Java program to listen to the AMI and create a 
> rule in iptables for ip in specific.
> 
> Does anyone have any suggestions?
> 
> 
> Thanks,
> Rodrigo Lang.
> 
Does asterisk log the failed attempts to a file?
If so then you could use sshblack to monitor the file for incorrect 
logins. It will add firewalls rules to a custom iptables chain based on 
various criteria. You can then point incoming SIP connections through 
this chain so offenders will be forewalled for a specific amount of time.
http://www.pettingers.org/code/sshblack.html

If I didn't have fail2ban, I would have way over 20k of these entries in my
asterisk log.

Zeeshan A Zakaria

--
www.ilovetovoip.com

On 2010-06-29 1:36 PM, "Rodrigo Lang" <rodrigoferreiralang at
gmail.com> wrote:

Good afternoon.

Thanks to everyone for answers. What I find strange is the asterisk does not
have any native tool for him to SIP server security. Here's an example of
the syslog messages from asterisk:

[Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from
'"213"
<sip:213 at my_extern_ip>' failed for '116 .124.128.82 '-
Wrong password
[Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from
'"213"
<sip:213 at my_extern_ip>' failed for '116 .124.128.82 '-
Wrong password
[Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from
'"213"
<sip:213 at my_extern_ip>' failed for '116 .124.128.82 '-
Wrong password
[Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from
'"213"
<sip:213 at my_extern_ip>' failed for '116 .124.128.82 '-
Wrong password
[Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from
'"213"
<sip:213 at my_extern_ip>' failed for '116 .124.128.82 '-
Wrong password
[Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from
'"213"
<sip:213 at my_extern_ip>' failed for '116 .124.128.82 '-
Wrong password
[Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from
'"213"
<sip:213 at my_extern_ip>' failed for '116 .124.128.82 '-
Wrong password
[Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from
'"213"
<sip:213 at my_extern_ip>' failed for '116 .124.128.82 '-
Wrong password