[asterisk-users] file2ban

--[ UxBoD ]-- uxbod at splatnix.net
Tue Jul 26 16:04:32 CDT 2011 

If you are using OSSEC here are some rules:

<rule id="10000" level="5">
  <decoded_as>local-asterisk-denied</decoded_as>
  <description>Asterisk Potentially Under Attack</description>
</rule>

<rule id="10001" level="8" frequency="5" timeframe="10">
  <if_matched_sid>10000</if_matched_sid>
  <same_source_ip />
  <description>Asterisk Under Brute Force Attack</description>
</rule>

and for the local_decoder:

<decoder name="local-asterisk-denied">
  <prematch>NOTICE[\d+] \S+: Registration from </prematch>
  <regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+)'</regex>
  <order>srcip</order>
</decoder>

OSSEC can then use Active Response to block the IP using IPtables.
-- 
Thanks, Phil

----- Original Message -----
> 
> 
> > -----Original Message-----
> > From: asterisk-users-bounces at lists.digium.com
> > [mailto:asterisk-users-
> > bounces at lists.digium.com] On Behalf Of Bryant Zimmerman
> > Sent: Tuesday, July 26, 2011 3:22 PM
> > To: Asterisk Users Mailing List - Non-Commercial Discussion
> > Subject: Re: [asterisk-users] file2ban
> > 
> > I want to add an entry to a database every time a brute force
> > registration
> > attempt is done.
> > from this database we are updating cisco routers with our ban list
> > so our
> > entire network is protected.
> > The database side of things is working and has been for some time.
> > I really
> > would like to add the file2ban side of it to protect our asterisk
> > system
> > better.
> 
> Look at the /etc/fail2ban/action.d/   Actions in the default config
> runs an iptables command to insert the ban into IPTables, but you
> can have it run most any command.
> 
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list