[asterisk-users] stopping unwanted attempts

Steve Murphy murf at parsetree.com
Sun Jan 19 08:40:59 CST 2014 

On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards <asterisk.org at sedwards.com>wrote:

> On Sat, 18 Jan 2014, Jerry Geis wrote:
>
>  I see MANY of these in my log files:
>>
>> [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '"202"
>> <sip:202 at X:5060>' failed for '37.8.12.147:26832' - Wrong password
>>
>> What is the "correct" way to block these idiots so they
>> don't even get this far.
>>
>
> Use iptables to allow packets from your legitimate users, block everybody
> else.
>
> If you are dealing with a mobile user base or an extensive geographic
> area, at least block the countries where you do not expect traffic -- North
> Korea, China, xxxistan, etc.
>
> Drop these at the front door (90% of the problem) and use fail2ban to pick
> off the rest.
>

​I see a problem here; firstly that it is no longer so simple to determine
the IP ranges of countries. Things have been fractured quite a bit; you
might have to hire out a service to determine true geographic origination.
Even then, if your service is a little behind, you might occasionally
feel the displeasure of users unable to talk to your servers. How will you
handle this, with a white-list? How much effort will you end up committing
to keeping your whitelist up to date?

Nextly, the well-financed operations running such probes need not use
machines in their native countries. There are plenty of US-based
machines that can be ( and are ) compromised. ​


​In other words, don't forget the fail2ban part!

Here's another idea! How about changing your port from 5060 to something
different, maybe 7067 or some other number that is not popularly being used?
You'll provision your phones to use this port, and the scanners will not
find you. Seems a much simpler solution... but there are some drawbacks...
can anyone think of them? And will these drawbacks matter to you? And, given
this solution, will the odds that a scanner might find your machine be so
low,
that it is not worth using something like fail2ban to override them? Food
for thought!

murf

-- 

Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉  murf at parsetree dot com
☎ 307-899-5535
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140119/395b5c20/attachment.html>

More information about the asterisk-users mailing list