[asterisk-users] Asterisk secure fine tune - stop attack

motty cruz motty.cruz at gmail.com
Thu Sep 4 11:32:36 CDT 2014


Thank you all for your support, your suggestions are welcome.
Thanks,


On Thu, Sep 4, 2014 at 9:26 AM, Chris Bagnall <asterisk at lists.minotaur.cc>
wrote:

> On 4/9/14 4:58 pm, Eric Wieling wrote:
>
>> If we don't need to allow access from outside the USA we block access
>> from all non-ARIN IP addresses by using iptables.   This takes care of at
>> least 80% of attacks.
>>
>
> Likewise here (though RIPE rather than ARIN, since we're the other side of
> the pond).
>
> You can also take it a bit further: if, for example, you know what ISP(s)
> your dynamic clients are using, you can limit connections to the IP ranges
> those ISP(s) use - look up their ranges on he.net's BGP looking glass if
> you need to find out what ranges they're using.
>
> Another thing I've been playing with of late is using iptables' string
> matching functionality to block user agents of known attack vectors:
> 'sipcli', 'sipvicious', 'friendly-scanner', etc.
>
> This seems to work remarkably well, though what impact it has on net
> performance under load remains to be seen.
>
> Kind regards,
>
> Chris
> --
> This email is made from 100% recycled electrons
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140904/f81f84dd/attachment.html>


More information about the asterisk-users mailing list