[asterisk-users] Brute force attacks

Tim Nelson tnelson at rockbochs.com
Fri Jul 2 11:54:27 CDT 2010


----- "A J Stiles" <asterisk_list at earthshod.co.uk> wrote:
> On Friday 02 Jul 2010, Ira wrote:
> > At 11:14 PM 7/1/2010, you wrote:
> > >Same activity from these IPs:
> > >174.129.137.135
> >
> > Given that my Asterisk box is used for nothing but Asterisk and I
> > know the small number of IPs that need to have access is there an
> > easy way to use iptables to block everything but those 6 IPs and
> > provider addresses?
> 
> Yes, dead easy!  Just configure iptables to accept IAX traffic  (TCP
> and UDP 
> port 4569)  only from trusted IP addresses, and drop it from anywhere
> else.  
> Here I am assuming eth0 is the "outside" connection, and the permitted
> IP 
> addresses are 10.11.12.13 and 10.11.12.14.
> 
> #  accept IAX traffic  (port 4569)  from 10.11.12.13
> iptables -A FORWARD -s 10.11.12.13/32 -i eth0 -p tcp -m tcp --dport
> 4569 -j 
> ACCEPT
> iptables -A FORWARD -s 10.11.12.13/32 -i eth0 -p udp -m udp --dport
> 4569 -j 
> ACCEPT
> #  accept IAX traffic  (port 4569)  from 10.11.12.14
> iptables -A FORWARD -s 10.11.12.14/32 -i eth0 -p tcp -m tcp --dport
> 4569 -j 
> ACCEPT
> iptables -A FORWARD -s 10.11.12.14/32 -i eth0 -p udp -m udp --dport
> 4569 -j 
> ACCEPT
> #  drop all other IAX traffic
> iptables -A FORWARD -i eth0 -p udp -m udp --dport 4569 -j DROP
> iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 4569 -j DROP
> 
> Obviously if the "permitted" connection addresses fall neatly into a
> block, 
> you can use fewer rules  :)  If there are a few addresses in the block
> that 
> shouldn't be permitted, put one or more DROP rules first for those
> addresses, 
> then an ACCEPT rule for  (the rest of)  the block, then another DROP
> rule.
> 

IAX is UDP only, not TCP. Also, what if he's using SIP (UDP/5060) for connectivity to the outside world? He'll need rules for this, in addition to RTP media (typically UDP/10000-20000)...

--Tim




More information about the asterisk-users mailing list