[asterisk-dev] auto blacklisting "script kiddies"
Steve Kennedy
steve-asterisk at gbnet.net
Fri May 4 10:09:10 MST 2007
On Fri, May 04, 2007 at 12:27:01PM -0400, Jason Burton wrote:
> Can you just blacklist an IP based on the connection frequency and if they
> are using different usernames/passwords for every attempt?
> If 1.1.1.1 connects using jar/10032103 and jar/12031203 and jar/120102312
> blacklist
> If 1.1.1.1 connects using jar123/10032103, jar124/10032103, jar125/10032103
> Blacklist
> Blacklist should be a certain period of time. You can have a mess on your
> hands if you make static lists that do not empty after a period of time?
> What happens if someone legit tries to connect with a blacklisted IP?
> Filtering script kiddies can be complicated if they do it from public
> hotspots that your customers might use?
Exactly, blacklists should be "sticky" or tarpitty ... if the user
really is trying to register, they try and can wait a bit of time
(Asterisk can even return an error), script kiddies will just bang out
dictionary attacks - the scripts are generally dumb.
Steve
--
NetTek Ltd UK mob +44-(0)7775 755503
UK +44-(0)20 79932612 / US +1-(310)8577715 / Fax +44-(0)20 7483 2455
Skype/GoogleTalk/AIM/Gizmo/Mac stevekennedyuk / MSN steve at gbnet.net
Euro Tech News Blog http://eurotechnews.blogspot.com
More information about the asterisk-dev
mailing list