[asterisk-users] SIP Blacklisting

Andrew Latham lathama at gmail.com
Thu Oct 21 11:01:57 CDT 2010 

With CRON or as an init.d you can do many things...

http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#116


~
Andrew "lathama" Latham
lathama at gmail.com

* Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software
* Learn more about Linux http://en.wikipedia.org/wiki/Linux
* Learn more about Tux http://en.wikipedia.org/wiki/Tux



On Thu, Oct 21, 2010 at 12:54 PM, Jeff LaCoursiere <jeff at sunfone.com> wrote:
>
> On Thu, 21 Oct 2010, Steve Howes wrote:
>
>> Hi,
>>
>> Given the recent increase in SIP brute force attacks, I've had a little
>> idea.
>>
>> The standard scripts that block after X attempts work well to prevent
>> you actually being compromised, but once you've been 'found' then the
>> attempts seem to keep coming for quite some time. Older versions of
>> sipvicious don't appear to stop once you start sending un-reachables (or
>> straight drops). Now this isn't a problem for Asterisk, but it does add
>> up in (noticeable) bandwidth costs - and for people running on lower
>> bandwidth connections. The tool to crash sipvicious can help this, but
>> very few attackers seem to obey it..
>>
>> The only way I can see to alleviate this, is to blacklist hows *before*
>> they attack. This means you wont ever be targeted past an initial scan.
>>
>> Is there any interest in a 'shared' blacklist (similar to spam
>> blacklists, but obviously implemented in a way that is more usable with
>> Asterisk/iptables)?. Clearly it raises issues about false positives etc,
>> but requiring reports from more than X hosts should alleviate this.
>> There's all the usual de-listing / false-listing worries as with any
>> blacklist, but the SMTP world has solutions we could learn from.
>>
>> Leaving a 'honeypot' running on a single IP address has revealed a few
>> hundred addresses in less than a month. I am fairly certain these are
>> all 'bad' as this host isn't used for anything else. There is obviously
>> a wealth of data (and attacks) out there that would be good to share.
>>
>> Anyone have any thoughts?
>>
>> S
>> --
>
> I'll subscribe, that is for sure.  What is the best way to dist the
> blacklist?  iptables include file?  Or something more integrated to
> asterisk... just thinking off the top of my head that a module that vetted
> inbound connections against an external list would be a very cool thing.
>
> j
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list