[asterisk-users] Brute force attacks
Matt Desbiens
desbiensm at gmail.com
Fri Jul 2 11:24:00 CDT 2010
I've noticed from time to time, that fail2ban just craps out, so, this might
be of interest to the community assuming you use 192.168.100.0/24 on your
network
iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT
iptables -A INPUT -s carrierip.x.x.x -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p udp -m udp -s carrierip.x.x.x --destination-port 5060
-j ACCEPT
iptables -A INPUT -p udp -m udp -s carrierip.x.x.x --destination-port
10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m udp --destination-port 5060 -j DROP
iptables -A INPUT -p udp -m udp --destination-port 10000:20000 -j DROP
iptables -A INPUT -p udp -m udp --destination-port 4000:4999 -j DROP
iptables -A INPUT -p udp -m udp --destination-port 4569 -j DROP
iptables -A INPUT -p tcp -m tcp --destination-port 5038 -j DROP
iptables -A INPUT -p tcp -m tcp --destination-port 22 -j DROP
iptables -A INPUT -p udp -m udp --destination-port 22 -j DROP
iptables -A OUTPUT -o eth0 -p all -j ACCEPT
iptables -A OUTPUT -o eth1 -p all -j ACCEPT
iptables -A INPUT -i eth0 -p all -j ACCEPT
iptables -A INPUT -i eth1 -p all -j ACCEPT
iptables -P INPUT DROP
2010/7/2 Jonathan González <jonathan.gsc at gmail.com>
> Same activity from these IPs:
> 174.129.137.135
> 89.35.123.12
> 209.20.66.234
> 184.73.30.42
> 184.73.44.61
> 87.106.187.137
> 194.44.244.187
> 203.55.198.100
> 209.76.47.11
> 94.74.229.229
> 93.184.79.59
> 209.62.53.242
>
>
>
>
> On Thu, Jul 1, 2010 at 10:56 PM, Jamie A. Stapleton <
> jstapleton at computer-business.com> wrote:
>
>> The IP 69.175.35.186 has just been banned by Fail2Ban after 293 attempts
>> against our server.
>>
>>
>>
>>
>>
>> *From:* asterisk-users-bounces at lists.digium.com [mailto:
>> asterisk-users-bounces at lists.digium.com] *On Behalf Of *John Timms
>> *Sent:* Thursday, July 01, 2010 11:32 AM
>> *To:* Asterisk Users Mailing List - Non-Commercial Discussion
>> *Subject:* Re: [asterisk-users] Brute force attacks
>>
>>
>>
>> On Thu, Jul 1, 2010 at 9:16 AM, Ishfaq Malik <ish at pack-net.co.uk> wrote:
>>
>> Hi
>>
>> We've just noticed attempts (close to 200000 attempts, sequential peer
>> numbers) at guessing peers on 2 of out servers and thought I'd share the
>> originating IPs with the list in case anyone wants to firewall them as we
>> have done
>>
>> 109.170.106.59
>> 112.142.55.18
>> 124.157.161.67
>>
>> Ish
>>
>> --
>> Ishfaq Malik
>> Software Developer
>> PackNet Ltd
>>
>> Office: 0161 660 3062
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>> http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
>>
>>
>>
>> We have noticed the same sort of activity on our server.
>> The originating IP addresses attempting access were:
>>
>>
>>
>> 204.9.204.145 (hosted at U.S. Colo, I believe)
>>
>> 91.203.132.149 (Nephax)
>>
>> 130.70.157.186 (University of Louisiana)
>>
>> 61.160.121.46 (Chinanet)
>>
>> 109.170.0.10 (ReasonUP Ltd)
>>
>>
>>
>> --
>> John Timms
>> IT Department - Gnoso Inc.
>> john at gnoso.com
>> --
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>> http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
>
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
--
Matthew Desbiens
//* EOF *//
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100702/9d72180b/attachment.htm
More information about the asterisk-users
mailing list