[asterisk-users] sip extension compromised, need help blocking brute force attempts
Kristian Kielhofner
kkielhofner at star2star.com
Mon Jun 30 17:08:19 CDT 2008
On 6/30/08, David Backeberg <dbackeberg at gmail.com> wrote:
> The thing I was mentioning about hashing addresses is already in the
> kernel, check out:
> hashlimit on google,
> or net/netfilter/xt_hashlimit.c in your favorite 2.6 kernel source
>
> The other cases you mention could be done with multiple rules,
> especially if you know good subnets / netmasks.
>
Exactly. I was thinking something like this (totally untested and raw):
# Send the right traffic through our chain
$IPTABLES -A INPUT -i $IFACE -m udp -p udp --dport 5060 -j sipdos
# INVITE limit
$IPTABLES -A sipdos -m string --string INVITE --algo bm \
-m hashlimit --hashlimit $IRATE/minute --hashlimit-mode srcip,dstport
--hashlimit-name sip_i_limit -j ACCEPT
# REGISTER limit
$IPTABLES -A sipdos -m string --string REGISTER --algo bm \
-m hashlimit --hashlimit $RRATE/minute --hashlimit-mode srcip,dstport
--hashlimit-name sip_r_limit -j ACCEPT
# All other SIP methods...
$IPTABLES -A sipdos -m hashlimit --hashlimit $ORATE/minute
--hashlimit-mode srcip,dstport --hashlimit-name sip_o_limit -j ACCEPT
# DROP everything else
$IPTABLES -A sipdos -j DROP
It would still be nice to have something a bit smarter (keep track
of INVITEs and 407s, for instance) and I don't like using the string
match.
The all other SIP methods rule is dicey too because of things like
OPTIONS, SUBSCRIBE, etc.
--
Kristian Kielhofner
NOT sent from my iPhone or Blackberry
More information about the asterisk-users
mailing list