[asterisk-users] lock SIP Account after too many failed logins

[Dave Platt]

>> I want to detect brute-force password hacking attacks - thus if there
>> are too many failed login attempts for a SIP account I want to "lock"
>> this account.
> 
>> Does somebody have any ideas how this could be implemented?

The usual method (I think) is to monitor the log files, and
detect repeated patterns of suspicious actions occurring
within a given period of time.

A program such as logwatch (www.logwatch.org) might work, or
you could write something in Perl.  If you're logging via
syslog, you can have syslog write new messages into a pipe
as well as into a log file, and thus parse and evaluate
new messages immediately with no buffering delay.

> Bad plan? Could quite easily turn into a DoS.

If the reaction is to lock the account, I agree, it might
leave you prone to a denial-of-service attack.

A better way would be to use iptables to start dropping
packets from the IP address(es) involved in the attack... this
will still allow the legitimate user of the account to access
it.

The block-IP-address-only method won't defend effectively
against a "slow scan" botnet-based crack attempt, where each
password-guessing attempt comes from a different IP address
in the botnet.  A lot of current SSH password-guess probes are
of this sort.  I don't think there's any terribly good defense
against this except to select *good* passwords - e.g. 20 or more
alphanumeric characters selected by a good random-number generator.

To be pro-active, I'd suggest that you acquire a password
quality-evaluation program (the Perl Data::Password class
from CPAN might be a useful starting point) and check the
password quality of all of your SIP accounts.  Require a
password change for any password of unacceptably low quality.