[asterisk-users] Blacklist failed attempts

Benoit Panizzon benoit.panizzon at imp.ch
Thu Mar 1 08:49:40 CST 2018 

Hi

You could do somethink like this in Perl:

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked;
my $action;

open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log file file exist\?\n\n";
 
while (<MYINPUTFILE>) {
    my ($line) = $_;
    chomp($line);
    if ($line =~ m/\' failed for \'(.*?):\d+\' - No matching peer found/) {
        push(@failhost,$1);
    }
    if ($line =~ m/\' failed for \'(.*?):\d+\' - Wrong password/) {
        push(@failhost,$1);
    }
}
 
my $blockedhosts = `/sbin/iptables -n -L asterisk`;
 
while ($blockedhosts =~ /(.*)/g) {
    my ($line2) = $1;
    chomp($line2);
    if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
        $currblocked{ $1 } = 'blocked';
    }
}

if (@failhost) {
    &count_unique(@failhost);
    while (my ($ip, $count) = each(%addblocked)) {
        if (exists $currblocked{ $ip }) {
        } else {
            $action = `/sbin/iptables -I asterisk -s $ip -j REJECT`;
            print "$ip blocked. $count attempts.\n";
        }
    }
} else {
#    print "no failed registrations.\n";
}
 
sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;
    map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
}

Mind, this would NOT block attempts via IPv6. So I have stopped using that script, also reading the file over and over again is not very performant.

I have not opted to using my MirkroTik Firewall to block failed attempts, similar rules can also be make with iptables:

In the Mangle Ruleset:

 1    ;;; SIP Check Unauth
      chain=forward action=add-dst-to-address-list protocol=udp src-address-list=SIP-Servers address-list=sip-auth-fail address-list-timeout=10m 
      out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized log=no log-prefix=""

 2    ;;; tcp sip check auth fail
      chain=forward action=add-dst-to-address-list protocol=tcp src-address-list=SIP-Servers address-list=sip-auth-fail address-list-timeout=10m 
      out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized log=no log-prefix=""

And then you just block all source address from sip-auth-fail in your forwarding table. This works for IPv6 and IPv4.

(Als yes, depending on the speed of your link, this also could be ressource intensive on your firewall, as it does full packet inspection.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________

More information about the asterisk-users mailing list