[asterisk-users] Iptables configuration to handle brute, force registrations?

Paul Dugas paul at dugasenterprises.com
Tue Apr 5 16:38:15 CDT 2011


First, this appears to be working for me though I'm not 100% sure of
that and cannot guarantee it will for you in any way, shape or form.
With the lawyering out of the way...

I've seen fail2ban allow more than 500 failed SIP login attempts in
under 30 seconds before adding an iptables rule to block the attacker.
 Likely I have it configured wrong but lately, I've been tinkering
with iptables rules using the "recent" module as another layer of
defense.  Relevant lines from /etc/sysconfig/iptables on my
CENTOS/Asterisk machine below...

-A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
recent --set --name SIP
-A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
recent --rcheck --name SIP --seconds  600 --hitcount  20 --rttl -j
DROP
-A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
recent --rcheck --name SIP --seconds  300 --hitcount  10 --rttl -j
DROP
-A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
recent --rcheck --name SIP --seconds  180 --hitcount   5 --rttl -j
DROP
-A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
recent --rcheck --name SIP --seconds   60 --hitcount   3 --rttl -j
DROP
-A RH-Firewall-1-INPUT -p udp --dport 5060 -j ACCEPT

This blocks the attacker when too many new SIP connections happen in
too short a period of time.  I think fail2ban will now never sees
enough failed logins to fire off a response.

$0.02

On Tue, Apr 5, 2011 at 2:31 PM, Bill Michaelson <bill at cosi.com> wrote:
>
> fail2ban might be good for this.
>
> On 04/05/2011 01:00 PM, asterisk-users-request at lists.digium.com wrote:
>
> Date: Tue, 5 Apr 2011 08:44:41 -0700 (PDT)
> From: Steve Edwards <asterisk.org at sedwards.com>
> Subject: Re: [asterisk-users] Iptables configuration to handle brute
> 	force registrations?
>
> On Tue, 5 Apr 2011, Gilles wrote:
>
> 	I'm no expert of iptables, and it seems like it can handle banning
> IP's that are trying to register and fail too many times.
>
> Is there a good iptables configuration that I could use as reference?
>
> Gordon Henderson posted a link to his script that handled failures above a
> threshold and some other cool stuff a few months back.
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users



More information about the asterisk-users mailing list