[asterisk-users] file2ban

Pezhman Lali lopl at lopl.net
Wed Jul 27 03:41:57 CDT 2011


fail2ban is a very good idea, but check it every 2-3 days by your self.
these days, upon our reporting blind scanning  sip port(5060) on machines ,
is very public.
I think selecting an undefined port for sip/iax/h323 , ... can save your
time and money.

as our analyzing, securing the databases, reduces your risk about 40%, equal
preventing brute-forces.
 best

On Wed, Jul 27, 2011 at 1:34 AM, --[ UxBoD ]-- <uxbod at splatnix.net> wrote:

> If you are using OSSEC here are some rules:
>
> <rule id="10000" level="5">
>  <decoded_as>local-asterisk-denied</decoded_as>
>  <description>Asterisk Potentially Under Attack</description>
> </rule>
>
> <rule id="10001" level="8" frequency="5" timeframe="10">
>  <if_matched_sid>10000</if_matched_sid>
>  <same_source_ip />
>  <description>Asterisk Under Brute Force Attack</description>
> </rule>
>
> and for the local_decoder:
>
> <decoder name="local-asterisk-denied">
>  <prematch>NOTICE[\d+] \S+: Registration from </prematch>
>  <regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+)'</regex>
>  <order>srcip</order>
> </decoder>
>
> OSSEC can then use Active Response to block the IP using IPtables.
> --
> Thanks, Phil
>
> ----- Original Message -----
> >
> >
> > > -----Original Message-----
> > > From: asterisk-users-bounces at lists.digium.com
> > > [mailto:asterisk-users-
> > > bounces at lists.digium.com] On Behalf Of Bryant Zimmerman
> > > Sent: Tuesday, July 26, 2011 3:22 PM
> > > To: Asterisk Users Mailing List - Non-Commercial Discussion
> > > Subject: Re: [asterisk-users] file2ban
> > >
> > > I want to add an entry to a database every time a brute force
> > > registration
> > > attempt is done.
> > > from this database we are updating cisco routers with our ban list
> > > so our
> > > entire network is protected.
> > > The database side of things is working and has been for some time.
> > > I really
> > > would like to add the file2ban side of it to protect our asterisk
> > > system
> > > better.
> >
> > Look at the /etc/fail2ban/action.d/   Actions in the default config
> > runs an iptables command to insert the ban into IPTables, but you
> > can have it run most any command.
> >
> >
> > --
> > _____________________________________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> > New to Asterisk? Join us for a live introductory webinar every Thurs:
> >                http://www.asterisk.org/hello
> >
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users
> >
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>



-- 
Pezhman Lali
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110727/f63ba152/attachment.htm>


More information about the asterisk-users mailing list