[asterisk-users] sip extension compromised, need help blocking brute force attempts

Kristian Kielhofner kkielhofner at star2star.com
Mon Jun 30 17:08:19 CDT 2008


On 6/30/08, David Backeberg <dbackeberg at gmail.com> wrote:
> The thing I was mentioning about hashing addresses is already in the
>  kernel, check out:
>  hashlimit on google,
>  or net/netfilter/xt_hashlimit.c in your favorite 2.6 kernel source
>
>  The other cases you mention could be done with multiple rules,
>  especially if you know good subnets / netmasks.
>

Exactly.  I was thinking something like this (totally untested and raw):

# Send the right traffic through our chain
$IPTABLES -A INPUT -i $IFACE -m udp -p udp --dport 5060 -j sipdos

# INVITE limit
$IPTABLES -A sipdos -m string --string INVITE --algo bm \
-m hashlimit --hashlimit $IRATE/minute --hashlimit-mode srcip,dstport
--hashlimit-name sip_i_limit -j ACCEPT

# REGISTER limit
$IPTABLES -A sipdos -m string --string REGISTER --algo bm \
-m hashlimit --hashlimit $RRATE/minute --hashlimit-mode srcip,dstport
--hashlimit-name sip_r_limit -j ACCEPT

# All other SIP methods...
$IPTABLES -A sipdos -m hashlimit --hashlimit $ORATE/minute
--hashlimit-mode srcip,dstport --hashlimit-name sip_o_limit -j ACCEPT

# DROP everything else
$IPTABLES -A sipdos -j DROP

  It would still be nice to have something a bit smarter (keep track
of INVITEs and 407s, for instance) and I don't like using the string
match.

  The all other SIP methods rule is dicey too because of things like
OPTIONS, SUBSCRIBE, etc.

-- 
Kristian Kielhofner
NOT sent from my iPhone or Blackberry



More information about the asterisk-users mailing list