[asterisk-biz] 87.230.80.186 - Trying to register
Steve Edwards
asterisk.org at sedwards.com
Thu Jun 24 12:52:35 CDT 2010
Un-top-posting...
> On 2010-06-24 1:03 PM, "bruce bruce" <bruceb444 at gmail.com> wrote:
>
> What would be the other workaround other than fail2ban? what commands
> should be run for IPTABLES to ban this IP from trying to register to
> SIP?
On Thu, 24 Jun 2010, Zeeshan Zakaria wrote:
> iptables -A INPUT -p TCP -s 87.230.90.5 --dport 5060 REJECT
(I think you need a "-j" before the target.)
If the connection is tcp. "s/TCP/UDP/" for udp. I'm a 1.2 Luddite, so TCP
is not an issue for me.
There are two problems with this approach. Using REJECT tells the attacker
that he is being rejected. Very often, he will have access to a range of
addresses (maybe a sub-set, maybe an entire class C) so he just tries
again with another address. See http://en.wikipedia.org/wiki/Whack_a_mole
If you change the target to DROP, your host discards the packet and no
information is sent back to the attacker.
sudo iptables\
--append INPUT\
--match udp\
--protocol udp\
--dport 5060\
--source 87.230.90.5\
--jump DROP
Just because you are blocking SIP does not mean he will not try SSH, FTP,
HTTP, Telnet...
Using the very blunt sword of blocking the entire class [A|B|C] for all
ports and protocols solves the problem for most attackers but can block
legitimate users as well.
sudo iptables\
--append INPUT\
--source 87.230.90.0/24\
--jump DROP
More information about the asterisk-biz
mailing list