Bill Michaelson
2011-Apr-05 18:31 UTC
[asterisk-users] Iptables configuration to handle brute, force registrations?
fail2ban might be good for this. On 04/05/2011 01:00 PM, asterisk-users-request at lists.digium.com wrote:> > Date: Tue, 5 Apr 2011 08:44:41 -0700 (PDT) > From: Steve Edwards<asterisk.org at sedwards.com> > Subject: Re: [asterisk-users] Iptables configuration to handle brute > force registrations? > > On Tue, 5 Apr 2011, Gilles wrote: > >> I'm no expert of iptables, and it seems like it can handle banning >> IP's that are trying to register and fail too many times. >> Is there a good iptables configuration that I could use as reference? > Gordon Henderson posted a link to his script that handled failures above a > threshold and some other cool stuff a few months back. >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110405/fc3d84a7/attachment.htm> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5994 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110405/fc3d84a7/attachment.bin>
Sherwood McGowan
2011-Apr-05 18:36 UTC
[asterisk-users] Iptables configuration to handle brute, force registrations?
On Tue, Apr 5, 2011 at 1:31 PM, Bill Michaelson <bill at cosi.com> wrote:> fail2ban might be good for this. > >I think you missed the point, which is reducing the need for an external application that searches logs in order to determine whether or not to block an IP. Why run fail2ban and add overhead when you can just do the same thing with iptables itself? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110405/8aad3b2b/attachment.htm>
Paul Dugas
2011-Apr-05 21:38 UTC
[asterisk-users] Iptables configuration to handle brute, force registrations?
First, this appears to be working for me though I'm not 100% sure of that and cannot guarantee it will for you in any way, shape or form. With the lawyering out of the way... I've seen fail2ban allow more than 500 failed SIP login attempts in under 30 seconds before adding an iptables rule to block the attacker. Likely I have it configured wrong but lately, I've been tinkering with iptables rules using the "recent" module as another layer of defense. Relevant lines from /etc/sysconfig/iptables on my CENTOS/Asterisk machine below... -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --set --name SIP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 600 --hitcount 20 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 300 --hitcount 10 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 180 --hitcount 5 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 60 --hitcount 3 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -j ACCEPT This blocks the attacker when too many new SIP connections happen in too short a period of time. I think fail2ban will now never sees enough failed logins to fire off a response. $0.02 On Tue, Apr 5, 2011 at 2:31 PM, Bill Michaelson <bill at cosi.com> wrote:> > fail2ban might be good for this. > > On 04/05/2011 01:00 PM, asterisk-users-request at lists.digium.com wrote: > > Date: Tue, 5 Apr 2011 08:44:41 -0700 (PDT) > From: Steve Edwards <asterisk.org at sedwards.com> > Subject: Re: [asterisk-users] Iptables configuration to handle brute > force registrations? > > On Tue, 5 Apr 2011, Gilles wrote: > > I'm no expert of iptables, and it seems like it can handle banning > IP's that are trying to register and fail too many times. > > Is there a good iptables configuration that I could use as reference? > > Gordon Henderson posted a link to his script that handled failures above a > threshold and some other cool stuff a few months back. > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > ? ? ? ? ? ? ? http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > ? http://lists.digium.com/mailman/listinfo/asterisk-users