[asterisk-biz] PBX Hacker IP List
John Todd
jtodd at digium.com
Tue Mar 17 11:45:02 CDT 2009
On Mar 16, 2009, at 8:41 PM, Michael Jerris wrote:
>
> On Mar 16, 2009, at 8:18 PM, John Todd wrote:
>>
>> [Phil and Cyril - the quick synopsis here is that Asterisk systems
>> are
>> being hit with some frequency with brute-force SIP password or
>> extension guessing attacks. Asterisk can output logfiles (non-
>> customizable) of failures.]
>>
>> JR and I had been having parts of this conversation off-line, but
>> it's
>> probably worth bringing it up here.
>>
>> I am of the opinion that a "blacklist" is probably useful for some
>> people, as an optional method to automatically configure certain
>> firewall filters or other ACLs which would deny certain IP addresses
>> from reaching the SIP stack. This could be triggered by quantity of
>> requests within a certain time period, or number of failures, or
>> whatever. In fact, there are people who have configured Fail2Ban
>> already to serve locally as a prophylactic for their own machines.
>> JR's point is that there would optimally be some distributed
>> mechanism
>> which would serve to collect the IP addresses as reported by a wide
>> variety of endpoints, such that badly acting IP addresses would be
>> denied even the first step in blocking.
>
> My biggest concern is how do we handle issues such as an incorrectly
> configured client set to attempt to reconnect causing false positives,
> this seems it would be fairly common. Is there any way we can work to
> make it depend on failures using different passwords to cause a ban
> only, instead of any sort of retry causing a ban (outside of more
> obvious dos attacks)
>
> Mike
I'd suggest that there is a numeric severity indicating suggested
length of time to enact a ban. That number is then used as a
calculation factor in determining how long the ban is in place. This
would allow for site-specific determination of "badness" (yes,
everything is subjective in that model, but blacklisting is actually a
subjective model in general) and weights would also allow for local
determination of what to do, and when.
If each system has their own ability to enact a ban based on the
numeric calculation, and time of data received, then this would work
quite well to both allow simply incorrectly-configured
It seems that incorrectly configured clients would only typically ever
hit a single host. Or is this a false assumption? Additional weight
(a multiplication factor?) could be applied to IP addresses which are
seen at multiple locations. Thus, if an IP address is seen banging
away on 5 different servers, each server would assign a "badness"
value to the report (probably each logfile event regexp would have a
static "weight" assigned) and then report it back to the central
database. Then the database would aggregate or multiply and create a
final weight. Each client of the database would then download the
values (not a hardcoded timestamp!) and calculate for themselves how
long to ban the remote IP address.
By using this method, you can eliminate a few things: putting a
timestamp in the central server is bad, because that allows known
interval window attacks. Allowing each server to more-or-less
randomly determine how long they're going to honor a "negative" entry
is good, because then it means that servers will come uncloaked
without predictability, and any scanning machines will trip a few
triggers before the entire group is exposed all at once.
Additionally, using weights instead of static time durations allows
the local administrator to choose how heavy-handed they wish to be on
their local system. They can perhaps take the weights and translate
them into very long durations, or perhaps only a short duration. The
effect of being listed in the database becomes a function of local
choice, not central administration.
The central database would gradually move a weight down to "0" if no
additional bad behavior was reported, via some sort of well known
reduction method (weight value -1 every 1 hour of no reports of bad
behavior, as an example.)
Other ideas:
- the central database should support the ability of setting
(manually) the weight to -1 or some special value, which then would be
imported by the clients and which would automatically remove any
existing time blocks. This would allow a central administrator to "un-
block" someone and and have it take effect on clients in some short
period of time without waiting for local timers to independently wind
down. Of course this implies trust of the central administrators to
do the right thing from a policy perspective... but that trust already
implicitly exists by taking a blacklist feed in the first place.
These sound like complex ideas, and they are. Blacklisting is not
trivial, and doing it correctly and in a manner that scales is not
immediately obvious, but there are well-known models from which to
work. The good news is that I expect there are existing packages out
there for this type of thing and all we need to do is glue Asterisk
logs or other output into their model.
JT
---
John Todd email:jtodd at digium.com
Digium, Inc. | Asterisk Open Source Community Director
445 Jan Davis Drive NW - Huntsville AL 35806 - USA
direct: +1-256-428-6083 http://www.digium.com/
More information about the asterisk-biz
mailing list