[asterisk-users] lock SIP Account after too many failed logins
Michiel van Baak
michiel at vanbaak.info
Fri Jan 9 12:24:22 CST 2009
On 11:04, Fri 09 Jan 09, Matthew Nicholson wrote:
> On Fri, 2009-01-09 at 16:49 +0000, Steve Howes wrote:
> > On 9 Jan 2009, at 16:36, Klaus Darilion wrote:
> > > Hi!
> > >
> > > I want to detect brute-force password hacking attacks - thus if there
> > > are too many failed login attempts for a SIP account I want to "lock"
> > > this account.
> > >
> > > Does somebody have any ideas how this could be implemented?
> >
> > Bad plan? Could quite easily turn into a DoS.
>
> Could this be done at the IP tables level? Or maybe you could write a
> script that monitors the asterisk logs and detects failed login attempts
> then adds problematic IP address to hosts.deny. I know of several ssh
> blocking scripts that work this way.
I think fail2ban can do this.
It has a configuration file where you can list your logs and regexp
matches in this logfile.
I use fail2ban on linux to detect those types of attacks on my ftp,
imap, pop3, smtp+sasl, ssh etc etc
It can take action by blocking the ip for a specified period.
The block can be configured. iptables, hosts.deny, pf, ipfw,
custom-script-to-send-block-rule-to-cisco-pix,whatever.
http://www.fail2ban.org/wiki/index.php/Main_Page
>
> --
> Matthew Nicholson
> Digium, Inc. | Software Developer
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
--
Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
"Why is it drug addicts and computer aficionados are both called users?"
More information about the asterisk-users
mailing list