[asterisk-users] "Register Attacks" End of ENUM ?
Nick Brown
Nick at ipera.com.au
Tue Jul 27 02:48:54 CDT 2010
Blocking SIP traffic is still going to break ENUM.
The problem with your suggestion Norbert is that Asterisk still would have to process the requests at an application layer, providing no real advantage to users of boxes with no grunt.
You could potentially write something to do inspection on the packets, there are a handful of L7 Linux switch projects around. Of course - still relatively resource intensive.
Fail2Ban is probably the best solution.
What someone needs to offer is an ENUM gateway service :-)
Nick.
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Motiejus Jakštys
Sent: Tuesday, 27 July 2010 4:43 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] "Register Attacks" End of ENUM ?
On Sun, Jul 25, 2010 at 3:11 AM, Norbert Zawodsky <norbert at zawodsky.at> wrote:
> Hello again!
>
> after it being "relatively quiet" her for the last weeks, my Astrerisk
> server was the target of 3 of that nasty REGISTER attacks during the
> last days. While I can see not much danger coming from these attacks (I
> use very long, complicated random generated passwords), they are still
> very annoying, because they always lead to my server crashing. (I think
> it's some out of memory condition because its a very tiny server. Slow
> CPU, not much memory...)
>
> Now, as a quick-fix I had the idea to use iptables' --scr-range rule
> to close the whole adress-range from 0.0.0.0 to 255.255.255.255 EXCEPT
> that small range of my VOIP provider. This should keep out all attacks.
> (At least, I think so). But I'm not a iptables-guru at all !!
>
> But the side-effect would be that ENUM wouldn't work any more.
>
> I still think that the best, clean solution would be, if some mechanism
> was built into asterisk (maybe sip.conf was the right place ???) where
> you could configure from which source (ip-range, ethernet-port or
> whatever...) asterisk will accept or ignore REGISTER requests. For
> example, in my small installation, valid REGISTERs can only originate
> from the internal LAN, never from the "outside world". So I could
> restrict the range for valid REGISTERs to 192.168.1.0/24.
>
> AFAIK incoming calls would start the conversation with INVITE and those
> still may come from "the outside" (=any IP adress).
>
> Another thought makes me feel nervous: What if some sick brain gets the
> idea of sending INVITEs instead of those REGISTERs...
>
> Norbert
If all you need is block the SIP traffic from external sources, you
may do the following:
# iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 5060 -j ACCEPT
# iptables -A INPUT -p udp --dport 5060 -j DROP
# iptables-save > /etc/iptables.up.rules
and somewhere in init scripts (depending on your lsb release):
# iptables-restore < /etc/iptables.up.rules
fail2ban is more suitable if you have external environment (plus it's
more complicated than just these 2 rules).
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list