[asterisk-biz] 87.230.80.186 - Trying to register
bruce bruce
bruceb444 at gmail.com
Tue Jun 29 12:41:30 CDT 2010
Thanks for that Steve. This works. However, what if I do this (would I block
myself from SSH 22):
--------------------------------------------------------------
sudo iptables\
--append INPUT\
--match tcp\
--protocol tcp\
--dport 22\
--source 0.0.0.0\
--jump ACCEPT
--------------------------------------------------------------
sudo iptables\
--append INPUT\
--source 0.0.0.0/24\ <http://87.230.90.0/24\>
--jump DROP
--------------------------------------------------------------
Will that block all other traffic to the server and only allow SSH 22? I
don't want to block myself out and it's very important because this is a
remote server. If you can confirm above then I can add the legit IPs one by
one after that I guess.
Thanks again
On Thu, Jun 24, 2010 at 1:52 PM, Steve Edwards <asterisk.org at sedwards.com>wrote:
> Un-top-posting...
>
> > On 2010-06-24 1:03 PM, "bruce bruce" <bruceb444 at gmail.com> wrote:
> >
> > What would be the other workaround other than fail2ban? what commands
> > should be run for IPTABLES to ban this IP from trying to register to
> > SIP?
>
> On Thu, 24 Jun 2010, Zeeshan Zakaria wrote:
>
> > iptables -A INPUT -p TCP -s 87.230.90.5 --dport 5060 REJECT
>
> (I think you need a "-j" before the target.)
>
> If the connection is tcp. "s/TCP/UDP/" for udp. I'm a 1.2 Luddite, so TCP
> is not an issue for me.
>
> There are two problems with this approach. Using REJECT tells the attacker
> that he is being rejected. Very often, he will have access to a range of
> addresses (maybe a sub-set, maybe an entire class C) so he just tries
> again with another address. See http://en.wikipedia.org/wiki/Whack_a_mole
>
> If you change the target to DROP, your host discards the packet and no
> information is sent back to the attacker.
>
> sudo iptables\
> --append INPUT\
> --match udp\
> --protocol udp\
> --dport 5060\
> --source 87.230.90.5\
> --jump DROP
>
> Just because you are blocking SIP does not mean he will not try SSH, FTP,
> HTTP, Telnet...
>
> Using the very blunt sword of blocking the entire class [A|B|C] for all
> ports and protocols solves the problem for most attackers but can block
> legitimate users as well.
>
> sudo iptables\
> --append INPUT\
> --source 87.230.90.0/24\
> --jump DROP
>
> From my experience, a lot of attacks originate from countries I have no
> interest in receiving calls from, so I just block a lot (too many?) of
> class A addresses. Unfortunately, my web server and email server are on
> the same host, so I need to refine this approach a bit :)
>
> A better approach would be to specifically allow the IP addresses of the
> callers you expect, and drop everybody else.
>
> If you have multiple IP addresses (for example, a public and a private) on
> your Asterisk box, binding SIP, IAX, and the manager interface to the
> local address will also reduce your attack profile.
>
> --
> Thanks in advance,
> -------------------------------------------------------------------------
> Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST
> Newline Fax: +1-760-731-3000
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20100629/2a5a5a51/attachment.htm
More information about the asterisk-biz
mailing list