[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

Gordon Henderson gordon+asterisk at drogon.net
Mon Aug 30 14:23:36 CDT 2010


On Mon, 30 Aug 2010, J. Oquendo wrote:

> How about a little cron script without having to install anything? You
> could run it off the hour:
>
> rightnow=`date "+%Y-%m-%d %k"`
>
> grep $rightnow /var/log/asterisk/messages |\
> awk '/No matching peer/' | sed's:'\''::g' |\
> uniq | awk '{print "iptables -A INPUT -s "$1" -j DROP"}'| sh

Your script is fine, but I think you are missing the point I made which is 
that early versions of sipvicious are badly broken in that they will 
continue to send their attacks for days after you firewall them out.

I also posted a very effective iptables script some weeks ago if you care 
to search the archives. It works and is extremely effective in blocking 
these types of attacks - however, it will not stop a broken sipvicious 
from continuing to send data to your server, and that's the issue I have 
at present.

Any attacking site is trivial to firewall out once you've detected it, but 
firewalling it out is not going to protect you or your customers from the 
incoming data if you have to pay for it, or have a capped Internet 
connection, and the attacking site doesn't give up, even when it's 
firewalled.

A typical setup I might use for a customer in the UK is to set them up 
with an ADSL service with a 15GB/month cap. That's OK for a small office, 
or a bigger one with a line dedicated to VoIP. The attack I posted about 
earlier used up nearly 15GB of data in 3 days. Fortunately most of it was 
off-peak/weekend when it's unmetered. I arranged for their router to drop 
the packets, but the ISP still counted them.

Try it for yourself - get an early copy of SV, point it at one of your 
servers, then firewall the server against your attacking machine. 
svcrack.py will not give up.

What your script needs to do is not only get the IP address, but also the 
calling port, then launch an svcrash against that site...

... and hope that the hackers aren't getting clever and putting svcrack in 
a script that automatically re-starts it... (which I think some of them 
are now)

Gordon



More information about the asterisk-users mailing list