[asterisk-users] stopping unwanted attempts

Ron Wheeler rwheeler at artifact-software.com
Sun Jan 19 08:57:03 CST 2014 

fail2ban is so easy to set up, there is no reason not to set it up.

The geography problems are not so bad unless you have phones all over 
the world or people travelling with softphones to countries that you 
want to block.

It does not block incoming calls only people who want to mimic your own 
legitimate phones.


Ron

On 19/01/2014 9:40 AM, Steve Murphy wrote:
>
>
>
> On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards 
> <asterisk.org at sedwards.com <mailto:asterisk.org at sedwards.com>> wrote:
>
>     On Sat, 18 Jan 2014, Jerry Geis wrote:
>
>         I see MANY of these in my log files:
>
>         [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from
>         '"202" <sip:202 at X:5060>' failed for '37.8.12.147:26832
>         <http://37.8.12.147:26832>' - Wrong password
>
>         What is the "correct" way to block these idiots so they
>         don't even get this far.
>
>
>     Use iptables to allow packets from your legitimate users, block
>     everybody else.
>
>     If you are dealing with a mobile user base or an extensive
>     geographic area, at least block the countries where you do not
>     expect traffic -- North Korea, China, xxxistan, etc.
>
>     Drop these at the front door (90% of the problem) and use fail2ban
>     to pick off the rest.
>
>
> I see a problem here; firstly that it is no longer so simple to determine
> the IP ranges of countries. Things have been fractured quite a bit; you
> might have to hire out a service to determine true geographic origination.
> Even then, if your service is a little behind, you might occasionally
> feel the displeasure of users unable to talk to your servers. How will you
> handle this, with a white-list? How much effort will you end up committing
> to keeping your whitelist up to date?
>
> Nextly, the well-financed operations running such probes need not use
> machines in their native countries. There are plenty of US-based
> machines that can be ( and are ) compromised.
>
>
> In other words, don't forget the fail2ban part!
>
> Here's another idea! How about changing your port from 5060 to something
> different, maybe 7067 or some other number that is not popularly being 
> used?
> You'll provision your phones to use this port, and the scanners will not
> find you. Seems a much simpler solution... but there are some drawbacks...
> can anyone think of them? And will these drawbacks matter to you? And, 
> given
> this solution, will the odds that a scanner might find your machine be 
> so low,
> that it is not worth using something like fail2ban to override them? Food
> for thought!
>
> murf
>
> -- 
>
> Steve Murphy
> ParseTree Corporation
> 57 Lane 17
> Cody, WY 82414
> ?  murf at parsetree dot com
> ? 307-899-5535
>
>
>
>


-- 
Ron Wheeler
President
Artifact Software Inc
email: rwheeler at artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140119/0a9e1c55/attachment.html>

More information about the asterisk-users mailing list