asterisk users - Sep 2010 - Force ip disconnect after register?

Is there a way to drop a ip connection to asterisk after a number of 
register attempts.

I have been having issues with hackers doing registration scanning against 
our server. We block their address at the fire wall but since asterisk does 
not force a drop of the connect after so many bad reg attempts I can't 
enforce the block until they drop and try again. This allows them to run 
the box with reg attempts as long as they maintain their initial connection 
or I reset the state tables on the firewall. This is very bad. Is there a 
way to force the connection to drop and reconnect after let's say 50 
attempts.

Thanks for any input.
Bryant
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100913/94094be1/attachment.htm

On Mon, Sep 13, 2010 at 11:22 AM, Bryant Zimmerman <BryantZ at zktech.com>
wrote:
> Is there a way to drop a ip connection to asterisk after a number of
> register attempts.
>
Not within Asterisk.  Google fail2ban

-- 
Paul Belanger | dCAP
Polybeacon | Consultant
Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
blog.polybeacon.com

On Mon, Sep 13, 2010 at 11:22:33AM -0400, Bryant Zimmerman
wrote:
>Is there a way to drop a ip connection to asterisk after a number of 
>register attempts.
Consider writing a filter for fail2ban [http://www.fail2ban.org/] that
works on the Asterisk logs?

On Mon, Sep 13, 2010 at 11:22:33AM -0400, Bryant Zimmerman
wrote:
> Is there a way to drop a ip connection to asterisk after a number of 
> register attempts.
> 
> I have been having issues with hackers doing registration scanning against 
> our server. We block their address at the fire wall but since asterisk does
> not force a drop of the connect after so many bad reg attempts I can't 
> enforce the block until they drop and try again. This allows them to run 
> the box with reg attempts as long as they maintain their initial connection
> or I reset the state tables on the firewall. This is very bad. Is there a 
> way to force the connection to drop and reconnect after let's say 50 
> attempts.
Not an exact answer to your question, but if the attacker is using svwar
(part of SIPVicious), setting alwaysauthreject=yes in sip.conf will make
the probing stop after only TWO tries.  svwar first tries registering a
few longish, random extensions before it begins a sequential or dictionary
scan, to see how you handle unknown extensions.  With alwayauthreject set,
svwar just gives up, complaining:

"ERROR:TakeASip:SIP server replied with an authentication request for an
unknown extension. Set --force to force a scan."

I still see 3-4 attempts per week from various sites, but now they stop
after just two failed registration attempts.  Saves lots of wear and tear
on my DSL.  I still run fail2ban, but after setting alwaysauthreject a
few months ago nothing has passed its threshold.  And nothing seems to
have broken, either.

-- 
Barry

On 09/13/2010 10:22 AM, Bryant Zimmerman wrote:
> Is there a way to drop a ip connection to asterisk after a number of
> register attempts.
> 
> I have been having issues with hackers doing registration scanning
> against our server. We block their address at the fire wall but since
> asterisk does not force a drop of the connect after so many bad reg
> attempts I can't enforce the block until they drop and try again. This
> allows them to run the box with reg attempts as long as they maintain
> their initial connection or I reset the state tables on the firewall.
> This is very bad. Is there a way to force the connection to drop and
> reconnect after let's say 50 attempts.
Reconfigure your firewall to inspect every packet against the rules,
instead of shortcutting 'open connections'; this takes more CPU on your
firewall, but allows you to change the rules and drop existing connections.

Alternatively, depending on how you've built your firewall, you can
insert the 'drop all packets from X.X.X.X' *before* any rules that allow
packets from existing connections.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kfleming at digium.com
Check us out at www.digium.com & www.asterisk.org

"Bryant Zimmerman" <BryantZ at zktech.com> writes:
> Is there a way to force the connection to drop and reconnect after
let's
> say 50 attempts.
Most firewalls have tools for removing specific connections from the
connection table. Alternatively a switch to SIP/TCP might help, but I've
never tried SIP/TCP with Asterisk so I don't really know what state it
is in.


/Benny