[asterisk-dev] auto blacklisting "script kiddies"
ast2005 at 9ux.com
Thu Apr 26 11:49:05 MST 2007
Steve Kennedy wrote:
>Would it not be a good idea if Asterisk would auto-blacklist single IP
>addresses that attempted multiple SIP or other registrations.
>The attacks I've seen seem to be scripted and aren't particularly
>clever, so an auto back-off system or just lock from that IP address
>after a particular number of registration attempts. This could be
>specified as a config variable (as in number of attempts before lock).
>Locked IP's could then be manually unlocked, or unlocked after a time
>period (or in combination, locked wait some time, unlock and if more
>attempts continue, lock for a longer time period etc).
>This isn't going to defeat any kind of serious attack, but would deter
>the script kiddies out there. It also potentially wont work for ITSPs
>etc, but for smaller installs it could be just the solution?
I use fail2ban on debian systems. The default config blocks ssh script
kiddies, there are some other included modules and you can add modules.
You can easily edit the configs to be more restrictive. You can ban an
IP for many hours after one ssh login failure if you want.
The included modules serve as a good example to create a new one from.
It should be easy enough to create a module for asterisk.
It's python and I'm sure it works on many distros. The upstream source
can be found here.
More information about the asterisk-dev