[asterisk-users] SIP fraud IP blacklist

Mitul Limbani mitul at enterux.in
Fri Apr 11 13:43:58 CDT 2014 

Looks nice, might start using it Stefan :)

Thanks.

Mitul

On Friday, April 11, 2014, Stefan Gofferje <lists at home.gofferje.net> wrote:

> Hi,
>
> in case, anyone is interested...
> I have started compiling a blacklist of hosts and networks from which
> SIP fraud attempts occur.
> My criteria currently are:
>
> To block an IP:
> - Minimum 3 attacks within one week from the same IP
> To block a network:
> - Attacks from minimum 3 IPs from that network within 2 weeks
> Common criteria:
> - Provider does not react to complaints OR
> - Provider sends autoreply but attacks don't stop within a week
>
> Definition of attack:
> - Minimum 5 attempts to make an unauthorized phone call to a
> non-PBX-internal number OR
> - Minimum 10 attempts to make an unauthorized phone call to a
> PBX-internal number OR
> - Minimum 10 failed authentication attempts
>
> If this happens, the IP gets auto-banned (iptables) for 24 hours and
> goes to my watch list. The watch list is the base for my further decisions.
>
> Currently, I don't remove IPs or networks from the list. If I have time
> and/or motivation I might create some kind of removal process later -
> also, depending on how big the list gets and how many people use it.
>
> The list is yet pretty short but for me, it has reduced the noise on my
> PBX from 20-30 attacks per day to about 2 or 3 per week, especially
> after most of the Palestinian networks ended up on the list.
>
> You're free to use the list - own your own responsibility and risk. It's
> in the ipdeny.com format, so a simple script can be used to CURL the
> list and create iptables rules from it. A sample script for something
> like that is also on my website (check the Linux section).
>
> That's the website for the list:
> http://stefan.gofferje.net/it-stuff/sipfraud/sip-attacker-blacklist
>
> And that's the download URL:
> http://stefan.gofferje.net/sipblocklist.zone
>
> Note that the list is updated every 6h so polling it more often doesn't
> help anything. Please limit polling to once a day or so.
>
> -S
>
> --
>  (o_   Stefan Gofferje            | SCLT, MCP, CCSA
>  //\   Reg'd Linux User #247167   | VCP #2263
>  V_/_  Heckler & Koch - the original point and click interface
>
>
>

-- 
Regards,
Mitul Limbani,
Chief Architech & Founder,
Enterux Solutions Pvt. Ltd.
110 Reena Complex, Opp. Nathani Steel,
Vidyavihar (W), Mumbai - 400 086. India
http://www.enterux.com/
http://www.entvoice.com/
email: mitul at enterux.in
DID: +91-22-71967196
Cell: +91-9820332422
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140412/6a61f09e/attachment.html>

More information about the asterisk-users mailing list