fail2ban is a very good idea, but check it every 2-3 days by your self.<div>these days, upon our reporting blind scanning sip port(5060) on machines , is very public.</div><div>I think selecting an undefined port for sip/iax/h323 , ... can save your time and money.</div>
<div><br></div><div><span class="Apple-style-span">as our analyzing, securing the databases, reduces your risk about 40%, equal preventing </span><span class="Apple-style-span" style="font-family: sans-serif; font-size: 13px; line-height: 19px; ">brute-forces.</span></div>
<div><span class="Apple-style-span"> best</span></div><div> </div><div><div class="gmail_quote">On Wed, Jul 27, 2011 at 1:34 AM, --[ UxBoD ]-- <span dir="ltr"><<a href="mailto:uxbod@splatnix.net">uxbod@splatnix.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">If you are using OSSEC here are some rules:<br>
<br>
<rule id="10000" level="5"><br>
<decoded_as>local-asterisk-denied</decoded_as><br>
<description>Asterisk Potentially Under Attack</description><br>
</rule><br>
<br>
<rule id="10001" level="8" frequency="5" timeframe="10"><br>
<if_matched_sid>10000</if_matched_sid><br>
<same_source_ip /><br>
<description>Asterisk Under Brute Force Attack</description><br>
</rule><br>
<br>
and for the local_decoder:<br>
<br>
<decoder name="local-asterisk-denied"><br>
<prematch>NOTICE[\d+] \S+: Registration from </prematch><br>
<regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+)'</regex><br>
<order>srcip</order><br>
</decoder><br>
<br>
OSSEC can then use Active Response to block the IP using IPtables.<br>
<font color="#888888">--<br>
Thanks, Phil<br>
</font><div><div></div><div class="h5"><br>
----- Original Message -----<br>
><br>
><br>
> > -----Original Message-----<br>
> > From: <a href="mailto:asterisk-users-bounces@lists.digium.com">asterisk-users-bounces@lists.digium.com</a><br>
> > [mailto:<a href="mailto:asterisk-users-">asterisk-users-</a><br>
> > <a href="mailto:bounces@lists.digium.com">bounces@lists.digium.com</a>] On Behalf Of Bryant Zimmerman<br>
> > Sent: Tuesday, July 26, 2011 3:22 PM<br>
> > To: Asterisk Users Mailing List - Non-Commercial Discussion<br>
> > Subject: Re: [asterisk-users] file2ban<br>
> ><br>
> > I want to add an entry to a database every time a brute force<br>
> > registration<br>
> > attempt is done.<br>
> > from this database we are updating cisco routers with our ban list<br>
> > so our<br>
> > entire network is protected.<br>
> > The database side of things is working and has been for some time.<br>
> > I really<br>
> > would like to add the file2ban side of it to protect our asterisk<br>
> > system<br>
> > better.<br>
><br>
> Look at the /etc/fail2ban/action.d/ Actions in the default config<br>
> runs an iptables command to insert the ban into IPTables, but you<br>
> can have it run most any command.<br>
><br>
><br>
> --<br>
> _____________________________________________________________________<br>
> -- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
> New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
> <a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
><br>
> asterisk-users mailing list<br>
> To UNSUBSCRIBE or update options visit:<br>
> <a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
><br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Pezhman Lali<div><br></div><br>
</div>