[asterisk-users] Auto ban IP addresses

[Geoff Lane]

On Wednesday, January 2, 2013, Frank wrote:

> Is there a way to automatically ban IP address from 
> attackers within asterisk ?

As others have mentioned, fail2ban does a good job. However, it may
not be enough as these attacks sometimes come from older versions of
the SipVicious hacking tool that keep trying even after they cease
getting a response -- i.e. the attack continues even after fail2ban
has jailed the host, which eats into your bandwidth and can cause
denial of service in extreme cases.

FWIW, I suffered one such attack last year after my router died and
the temporary replacement couldn't selectively block or forward UDP
5060 based on WAN IP address. The attack continued for over eight days
and consumed over a gigabyte a day of my bandwidth for the first three
of those days -- until I'd replaced the temporary router and taken
proactive measures. An initial LART to the attacking host's owner and
their provider achieved little.

I ended up installing SipVicious to a virtual machine to which I
router all SIP requests from the attacker. On the VM I set up svcrash
to automatically crash the attacking script each time it received a
SIP request. This cut the attack down to one request every couple of
seconds. In the end, I suggested to the owner of the attacking host
that it might be a good idea for them to remove Python unless it was
actually needed and in any case to remove from that machine all
instances of svwar.py and svcrack.py together with the remainder of
the SipVicious suite. The attack stopped shortly after.

I suspect that any system that responds to all SIP requests is likely
to attract such attacks. My solution is to silently drop SIP traffic
from all but my SIP providers, which means that attackers perceive
that my Asterisk box doesn't exist. This is not ideal as it also
prevents legitimate direct SIP calls and reinvites, but IMO better
that than having bandwidth I pay for by the gigabyte consumed by
brute force attacks.

-- 
Geoff