[asterisk-dev] auto blacklisting "script kiddies"
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Thu Apr 26 07:26:01 MST 2007
On Thu, Apr 26, 2007 at 03:08:19PM +0100, Steve Kennedy wrote:
> Would it not be a good idea if Asterisk would auto-blacklist single IP
> addresses that attempted multiple SIP or other registrations.
>
> The attacks I've seen seem to be scripted and aren't particularly
> clever, so an auto back-off system or just lock from that IP address
> after a particular number of registration attempts. This could be
> specified as a config variable (as in number of attempts before lock).
>
> Locked IP's could then be manually unlocked, or unlocked after a time
> period (or in combination, locked wait some time, unlock and if more
> attempts continue, lock for a longer time period etc).
>
> This isn't going to defeat any kind of serious attack, but would deter
> the script kiddies out there. It also potentially wont work for ITSPs
> etc, but for smaller installs it could be just the solution?
Blocking is better done by the firewall. There are already a number of
programs that adapt firwall or do whatever custom operation based on
certain conditions in the log.
Also: how simple is it to spoof a single packet for the purpose of
banning an IP address? e.g.: me spoofing a false packet from your IP
address to Gizmo.
Are Asterisk's log well-suited for automated parsing by log parsers?
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir at jabber.org
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list