[asterisk-biz] PBX Hacker IP List
Michael Jerris
mike at jerris.com
Mon Mar 16 22:41:33 CDT 2009
On Mar 16, 2009, at 8:18 PM, John Todd wrote:
>
> [Phil and Cyril - the quick synopsis here is that Asterisk systems are
> being hit with some frequency with brute-force SIP password or
> extension guessing attacks. Asterisk can output logfiles (non-
> customizable) of failures.]
>
> JR and I had been having parts of this conversation off-line, but it's
> probably worth bringing it up here.
>
> I am of the opinion that a "blacklist" is probably useful for some
> people, as an optional method to automatically configure certain
> firewall filters or other ACLs which would deny certain IP addresses
> from reaching the SIP stack. This could be triggered by quantity of
> requests within a certain time period, or number of failures, or
> whatever. In fact, there are people who have configured Fail2Ban
> already to serve locally as a prophylactic for their own machines.
> JR's point is that there would optimally be some distributed mechanism
> which would serve to collect the IP addresses as reported by a wide
> variety of endpoints, such that badly acting IP addresses would be
> denied even the first step in blocking.
My biggest concern is how do we handle issues such as an incorrectly
configured client set to attempt to reconnect causing false positives,
this seems it would be fairly common. Is there any way we can work to
make it depend on failures using different passwords to cause a ban
only, instead of any sort of retry causing a ban (outside of more
obvious dos attacks)
Mike
More information about the asterisk-biz
mailing list