[asterisk-users] Iptables configuration to handle brute, force registrations?

Danny Nicholas danny at debsinc.com
Tue Apr 5 17:00:50 CDT 2011


> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-
> bounces at lists.digium.com] On Behalf Of Paul Dugas
> Sent: Tuesday, April 05, 2011 4:38 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] Iptables configuration to handle brute,force
> registrations?
> 
> First, this appears to be working for me though I'm not 100% sure of
> that and cannot guarantee it will for you in any way, shape or form.
> With the lawyering out of the way...
> 
> I've seen fail2ban allow more than 500 failed SIP login attempts in
> under 30 seconds before adding an iptables rule to block the attacker.
>  Likely I have it configured wrong but lately, I've been tinkering
> with iptables rules using the "recent" module as another layer of
> defense.  Relevant lines from /etc/sysconfig/iptables on my
> CENTOS/Asterisk machine below...
> 
<snip>
[Danny Nicholas] 
I'm no expert, but as I see it, for fail2ban to work properly in a "heavy
attack" environment, you MUST have your logs in realtime databases and
preferably also roll them frequently.  In "normal" Asterisk (as I use it),
logs are written at the end of a call (not good for attack scenario unless
attacks are quick and out) and in a heavy call environment, an attacker
could make quite a bit of headway before the log could be processed.
  
If you are "realtime" and rolling the logs hourly or so, fail2ban should
work pretty well, but no guarantees.





More information about the asterisk-users mailing list