[asterisk-users] asterisk-users Digest, Vol 80, Issue 73

[JR Richardson]

>> Back to the original question, for those of you using Fail2Ban,
>> Does it take an unusually high amount of break-in attempts before
> attackers are banned?
>> I have it set to 5 attempts in fail2ban but usually, the attacker is able
> to make over 100 attempts before fail2ban bans them.
>> I've tried this using asterisk's /var/log/asterisk/messages and
> /var/log/messages with same results.
>> Perhaps someone else is experiencing this or has resolved it, thank you.
>>
> I have F2B set to ban after 1 attempt.  The most I have seen in the
> logs is 4-5 attemps before ban is applied.  I am calling scripts that
> apply the ban to a cisco access-list, so there is script/telnet/config
> delay but it is very minimal and works very well.
>
> JR
>
> Speaking blindly as someone who has yet to fool with F2B, I'd rather ban
> somebody after 5-20 attempts than have the overhead needed to ban them
> quicker.  Guess that's a na?ve view??
>
Well really I don't see why you would want to ban after >1 attempts.
Unless you mis-configure user/pass for the SIP peer, an error message
in the log for failure to register or ACL match is a bot or hacker
more often than not.  It's better to be safe and block first, then
pull the ban off the suspect IP once you realize it is legitimate.
I'd rather do that than let a hacker try to brute force password hack
for 20 or more attempts.  Some of these bots are real malicious with
attempts coming in the hundreds/sec so my philosophy is to block soon
and block often.  If you are going to run an automated blocking
mechanism, you should get proficient with un-blocking as well for
accidental blocking.

JR
-- 
JR Richardson
Engineering for the Masses