[asterisk-users] sip extension compromised, need help blocking brute force attempts

David Backeberg dbackeberg at gmail.com
Mon Jun 30 15:04:44 CDT 2008


You can use a hashtable to watch incoming traffic, sort it into
buckets based on its ip address, and take action accordingly. But
you'll need some method of sorting out legitimate traffic versus bad
traffic. You'll need to come up with some more characteristics than
just that something is communicating on the port.

ssh hack detection is easy because each new bruteforce starts with a
tcp syn, so you can count them and then drop access, on the premise
that a legitimate user wouldn't need X attempts to get their password
right.

On Mon, Jun 30, 2008 at 2:56 PM, spectro <spectro at gmail.com> wrote:
> On Mon, Jun 30, 2008 at 1:31 PM, David Backeberg <dbackeberg at gmail.com> wrote:
>> Do a reverse lookup on your attacker.
>> Then find their ISP.
>> Then file an abuse complaint.
>
>
> already done, also filed a report with FBI cybercrime unit and setup
> iptables to block incoming traffic from that IP.
>
> My question is if there is anything in asterisk to detect these
> bruteforce attacks and take measure like we can do with ssh brute
> force attacks.
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>



More information about the asterisk-users mailing list