[asterisk-users] Auto ban IP addresses

Frank frank at efirehouse.com
Thu Jan 3 08:27:25 CST 2013


Geoff,

That is a very good point.
I actually switched my firewall to close all ports but SSH.
I'll only allow specific IP for incoming SIP. Thanks for the great note.

On 1/3/13 7:06 AM, Geoff Lane wrote:
> On Wednesday, January 2, 2013, Frank wrote:
>
>> Is there a way to automatically ban IP address from
>> attackers within asterisk ?
>
> As others have mentioned, fail2ban does a good job. However, it may
> not be enough as these attacks sometimes come from older versions of
> the SipVicious hacking tool that keep trying even after they cease
> getting a response -- i.e. the attack continues even after fail2ban
> has jailed the host, which eats into your bandwidth and can cause
> denial of service in extreme cases.
>
> FWIW, I suffered one such attack last year after my router died and
> the temporary replacement couldn't selectively block or forward UDP
> 5060 based on WAN IP address. The attack continued for over eight days
> and consumed over a gigabyte a day of my bandwidth for the first three
> of those days -- until I'd replaced the temporary router and taken
> proactive measures. An initial LART to the attacking host's owner and
> their provider achieved little.
>
> I ended up installing SipVicious to a virtual machine to which I
> router all SIP requests from the attacker. On the VM I set up svcrash
> to automatically crash the attacking script each time it received a
> SIP request. This cut the attack down to one request every couple of
> seconds. In the end, I suggested to the owner of the attacking host
> that it might be a good idea for them to remove Python unless it was
> actually needed and in any case to remove from that machine all
> instances of svwar.py and svcrack.py together with the remainder of
> the SipVicious suite. The attack stopped shortly after.
>
> I suspect that any system that responds to all SIP requests is likely
> to attract such attacks. My solution is to silently drop SIP traffic
> from all but my SIP providers, which means that attackers perceive
> that my Asterisk box doesn't exist. This is not ideal as it also
> prevents legitimate direct SIP calls and reinvites, but IMO better
> that than having bandwidth I pay for by the gigabyte consumed by
> brute force attacks.
>



More information about the asterisk-users mailing list