[asterisk-users] lock SIP Account after too many failed logins

Tim Nelson tnelson at rockbochs.com
Fri Jan 9 12:34:31 CST 2009 

Check out this howto: http://engineertim.com/?p=16

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

----- "Michiel van Baak" <michiel at vanbaak.info> wrote:

> On 11:04, Fri 09 Jan 09, Matthew Nicholson wrote:
> > On Fri, 2009-01-09 at 16:49 +0000, Steve Howes wrote:
> > > On 9 Jan 2009, at 16:36, Klaus Darilion wrote:
> > > > Hi!
> > > >
> > > > I want to detect brute-force password hacking attacks - thus if
> there
> > > > are too many failed login attempts for a SIP account I want to
> "lock"
> > > > this account.
> > > >
> > > > Does somebody have any ideas how this could be implemented?
> > > 
> > > Bad plan? Could quite easily turn into a DoS.
> > 
> > Could this be done at the IP tables level?  Or maybe you could write
> a
> > script that monitors the asterisk logs and detects failed login
> attempts
> > then adds problematic IP address to hosts.deny.  I know of several
> ssh
> > blocking scripts that work this way.
> 
> I think fail2ban can do this.
> It has a configuration file where you can list your logs and regexp
> matches in this logfile.
> 
> I use fail2ban on linux to detect those types of attacks on my ftp,
> imap, pop3, smtp+sasl, ssh etc etc
> 
> It can take action by blocking the ip for a specified period.
> The block can be configured. iptables, hosts.deny, pf, ipfw,
> custom-script-to-send-block-rule-to-cisco-pix,whatever.
> 
> http://www.fail2ban.org/wiki/index.php/Main_Page
> 
> > 
> > -- 
> > Matthew Nicholson
> > Digium, Inc. | Software Developer
> > 
> > 
> > _______________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com
> --
> > 
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> -- 
> 
> Michiel van Baak
> michiel at vanbaak.eu
> http://michiel.vanbaak.eu
> GnuPG key:
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
> 
> "Why is it drug addicts and computer aficionados are both called
> users?"
> 
> 
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list