[asterisk-users] fraud advice (Also advice on using ipbanning)

--[ UxBoD ]-- uxbod at splatnix.net
Sun Oct 17 06:24:46 CDT 2010


----- Original Message -----


When we designed our systems on asterisk we designed it to me multi-tenant. Se we use customer prefixes on all extensions. This allows us to have multiple customers using the same extension pools. It also reduces the hack foot print as hackers must know the prefix for a customer to try and brute force things. All passwords use 8+ characters with alfa/numeric and special characters. 

As I see it Asterisk does very good keeping out the hackers if you use a solid design in your peer and dialplans. At the least put an alpha character post or pre other wise you are just asking for it. Use your head you can be smarter then they are. 

We are looking into ipban as well. If any one has an example of ipban I would love to see how best to implement it. In a 4 year period we have not had a breach but we do get about 10 to 15 hack attempts a week. We have blocking scripts that block ip's at the primary firewall but I would like to trigger the ipban at each switch level. Could I also use the ipban method to trigger the audo updates to our primary firewalls? Any advice is appreciated. 


Bryant 



You could also use OSSEC http://www.ossec.net and a custom decoder and rule: 

<decoder name="local-asterisk-denied"> 
<prematch>NOTICE[\d+] \S+: Registration from </prematch> 
<regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+)'</regex> 
<order>srcip</order> 
</decoder> 

<rule id="110005" level="5"> 
<decoded_as>local-asterisk-denied</decoded_as> 
<description>Asterisk Potentially Under Attack</description> 
</rule> 

<rule id="110006" level="10" frequency="5" timeframe="10"> 
<if_matched_sid>110005</if_matched_sid> 
<same_source_ip /> 
<description>Asterisk Under Brute Force Attack</description> 
</rule> 
-- 
Thanks, Phil 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101017/37d9352f/attachment.htm 


More information about the asterisk-users mailing list