[asterisk-users] Iptables configuration to handle brute, force registrations?
Sherwood McGowan
sherwood.mcgowan at gmail.com
Wed Apr 6 01:19:46 CDT 2011
On 4/5/2011 4:38 PM, Paul Dugas wrote:
> First, this appears to be working for me though I'm not 100% sure of
> that and cannot guarantee it will for you in any way, shape or form.
> With the lawyering out of the way...
>
> I've seen fail2ban allow more than 500 failed SIP login attempts in
> under 30 seconds before adding an iptables rule to block the attacker.
> Likely I have it configured wrong but lately, I've been tinkering
> with iptables rules using the "recent" module as another layer of
> defense. Relevant lines from /etc/sysconfig/iptables on my
> CENTOS/Asterisk machine below...
>
> -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
> recent --set --name SIP
> -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
> recent --rcheck --name SIP --seconds 600 --hitcount 20 --rttl -j
> DROP
> -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
> recent --rcheck --name SIP --seconds 300 --hitcount 10 --rttl -j
> DROP
> -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
> recent --rcheck --name SIP --seconds 180 --hitcount 5 --rttl -j
> DROP
> -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m
> recent --rcheck --name SIP --seconds 60 --hitcount 3 --rttl -j
> DROP
> -A RH-Firewall-1-INPUT -p udp --dport 5060 -j ACCEPT
>
> This blocks the attacker when too many new SIP connections happen in
> too short a period of time. I think fail2ban will now never sees
> enough failed logins to fire off a response.
>
> $0.02
>
That was completely worth the $0.02, here's a nickel & keep the change! ;-)
Cheers mate, thanks for sharing with the community :)
--
Sherwood McGowan <sherwood.mcgowan at gmail.com>
Carrier, ITSP, Call Center, and PBX Solutions Consultant
More information about the asterisk-users
mailing list