[asterisk-dev] auto blacklisting "script kiddies"

[Walt Reed]

On Thu, Apr 26, 2007 at 05:26:01PM +0300, Tzafrir Cohen said:
> On Thu, Apr 26, 2007 at 03:08:19PM +0100, Steve Kennedy wrote:
> > Would it not be a good idea if Asterisk would auto-blacklist single IP
> > addresses that attempted multiple SIP or other registrations.
> > 
> > The attacks I've seen seem to be scripted and aren't particularly
> > clever, so an auto back-off system or just lock from that IP address
> > after a particular number of registration attempts. This could be
> > specified as a config variable (as in number of attempts before lock).
> > 
> > Locked IP's could then be manually unlocked, or unlocked after a time
> > period (or in combination, locked wait some time, unlock and if more
> > attempts continue, lock for a longer time period etc).
> > 
> > This isn't going to defeat any kind of serious attack, but would deter
> > the script kiddies out there. It also potentially wont work for ITSPs
> > etc, but for smaller installs it could be just the solution?
> 
> Blocking is better done by the firewall. There are already a number of
> programs that adapt firwall or do whatever custom operation based on
> certain conditions in the log.
> 
> Also: how simple is it to spoof a single packet for the purpose of
> banning an IP address? e.g.: me spoofing a false packet from your IP
> address to Gizmo.
> 
> Are Asterisk's log well-suited for automated parsing by log parsers?

Log parsing for this kind of thing is pretty hackish. It would be nice
to have support in Asterisk to identify offenders. I agree that the
blocking is best done by the firewall however as you can block not only
asterisk access, but ALL access if you wish.

For a starting point, one could look at the "denyhosts" tool.