[asterisk-users] RES: Auto ban IP addresses

Éder eder at openminds.com.br
Thu Jan 3 06:36:09 CST 2013 

Interesting...

-----Mensagem original-----
De: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] Em nome de Geoff Lane
Enviada em: quinta-feira, 3 de janeiro de 2013 10:06
Para: Asterisk Users Mailing List - Non-Commercial Discussion
Assunto: Re: [asterisk-users] Auto ban IP addresses

On Wednesday, January 2, 2013, Frank wrote:

> Is there a way to automatically ban IP address from attackers within 
> asterisk ?

As others have mentioned, fail2ban does a good job. However, it may not be
enough as these attacks sometimes come from older versions of the SipVicious
hacking tool that keep trying even after they cease getting a response --
i.e. the attack continues even after fail2ban has jailed the host, which
eats into your bandwidth and can cause denial of service in extreme cases.

FWIW, I suffered one such attack last year after my router died and the
temporary replacement couldn't selectively block or forward UDP
5060 based on WAN IP address. The attack continued for over eight days and
consumed over a gigabyte a day of my bandwidth for the first three of those
days -- until I'd replaced the temporary router and taken proactive
measures. An initial LART to the attacking host's owner and their provider
achieved little.

I ended up installing SipVicious to a virtual machine to which I router all
SIP requests from the attacker. On the VM I set up svcrash to automatically
crash the attacking script each time it received a SIP request. This cut the
attack down to one request every couple of seconds. In the end, I suggested
to the owner of the attacking host that it might be a good idea for them to
remove Python unless it was actually needed and in any case to remove from
that machine all instances of svwar.py and svcrack.py together with the
remainder of the SipVicious suite. The attack stopped shortly after.

I suspect that any system that responds to all SIP requests is likely to
attract such attacks. My solution is to silently drop SIP traffic from all
but my SIP providers, which means that attackers perceive that my Asterisk
box doesn't exist. This is not ideal as it also prevents legitimate direct
SIP calls and reinvites, but IMO better that than having bandwidth I pay for
by the gigabyte consumed by brute force attacks.

--
Geoff


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list