[asterisk-users] sip extension compromised, need help blocking brute force attempts
Kristian Kielhofner
kkielhofner at star2star.com
Mon Jun 30 16:10:55 CDT 2008
On 6/30/08, randulo <spamsucks2005 at gmail.com> wrote:
> Someone should write an asterisk-centric document on this topic, it's
> likely to become an issue "someday". Sounds like a great subject for
> VoIP USers Conference as well. Any volunteers?
>
iptables string and limit matching could be a start, although I don't
really know how well it does with fragments (or if that would even be
an issue - especially with UDP).
Anyways, it would be cool to develop something with iptables string,
limit, and maybe even the Asterisk DB for SIP registries. For
instance:
- allow "unknown" addresses to REGISTER/INVITE at a "normal" rate (10
pkts / minute, or something). Figure that would allow 10 INVITEs
(calls) per minute (2 INVITEs per authenticated call).
- Allow "good" addresses (registered from the Asterisk db or
previously known good) to pass SIP traffic at a greater rate (maybe
even wide open). One could use something unique from the request if
they wished - matching on the user agent from the Asterisk SIP DB, for
example.
This could get tricky... You'd have to be able to look at 407s and
INVITEs/REGISTERs with and without nonces to do the job right. It
would be neat to do this without having to jump into userland too much
in iptables/netfilter.
Does anyone want to write a kernel module? ;)
--
Kristian Kielhofner
NOT sent from my iPhone or Blackberry
More information about the asterisk-users
mailing list