Thanks for that Steve. This works. However, what if I do this (would I block myself from SSH 22):<div><br></div><div>--------------------------------------------------------------</div><div>sudo iptables\<br> --append INPUT\<br>
--match tcp\<br> --protocol tcp\<br> --dport 22\<br> --source 0.0.0.0\<br> --jump ACCEPT</div><div>--------------------------------------------------------------</div>
<div>sudo iptables\<br> --append INPUT\<br> --source <a href="http://87.230.90.0/24\" target="_blank">0.0.0.0/24\</a><br> --jump DROP<br><div>--------------------------------------------------------------</div>
<div><br></div><div>Will that block all other traffic to the server and only allow SSH 22? I don't want to block myself out and it's very important because this is a remote server. If you can confirm above then I can add the legit IPs one by one after that I guess.</div>
<div><br></div><div>Thanks again</div><div><br></div><div><br><br><div class="gmail_quote">On Thu, Jun 24, 2010 at 1:52 PM, Steve Edwards <span dir="ltr"><<a href="http://asterisk.org">asterisk.org</a>@<a href="http://sedwards.com">sedwards.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Un-top-posting...<br>
<div class="im"><br>
> On 2010-06-24 1:03 PM, "bruce bruce" <<a href="mailto:bruceb444@gmail.com">bruceb444@gmail.com</a>> wrote:<br>
><br>
> What would be the other workaround other than fail2ban? what commands<br>
> should be run for IPTABLES to ban this IP from trying to register to<br>
> SIP?<br>
<br>
</div><div class="im">On Thu, 24 Jun 2010, Zeeshan Zakaria wrote:<br>
<br>
> iptables -A INPUT -p TCP -s 87.230.90.5 --dport 5060 REJECT<br>
<br>
</div>(I think you need a "-j" before the target.)<br>
<br>
If the connection is tcp. "s/TCP/UDP/" for udp. I'm a 1.2 Luddite, so TCP<br>
is not an issue for me.<br>
<br>
There are two problems with this approach. Using REJECT tells the attacker<br>
that he is being rejected. Very often, he will have access to a range of<br>
addresses (maybe a sub-set, maybe an entire class C) so he just tries<br>
again with another address. See <a href="http://en.wikipedia.org/wiki/Whack_a_mole" target="_blank">http://en.wikipedia.org/wiki/Whack_a_mole</a><br>
<br>
If you change the target to DROP, your host discards the packet and no<br>
information is sent back to the attacker.<br>
<br>
sudo iptables\<br>
--append INPUT\<br>
--match udp\<br>
--protocol udp\<br>
--dport 5060\<br>
--source 87.230.90.5\<br>
--jump DROP<br>
<br>
Just because you are blocking SIP does not mean he will not try SSH, FTP,<br>
HTTP, Telnet...<br>
<br>
Using the very blunt sword of blocking the entire class [A|B|C] for all<br>
ports and protocols solves the problem for most attackers but can block<br>
legitimate users as well.<br>
<br>
sudo iptables\<br>
--append INPUT\<br>
--source <a href="http://87.230.90.0/24\" target="_blank">87.230.90.0/24\</a><br>
--jump DROP<br>
<br>
>From my experience, a lot of attacks originate from countries I have no<br>
interest in receiving calls from, so I just block a lot (too many?) of<br>
class A addresses. Unfortunately, my web server and email server are on<br>
the same host, so I need to refine this approach a bit :)<br>
<br>
A better approach would be to specifically allow the IP addresses of the<br>
callers you expect, and drop everybody else.<br>
<br>
If you have multiple IP addresses (for example, a public and a private) on<br>
your Asterisk box, binding SIP, IAX, and the manager interface to the<br>
local address will also reduce your attack profile.<br>
<div class="im"><br>
--<br>
Thanks in advance,<br>
-------------------------------------------------------------------------<br>
Steve Edwards <a href="mailto:sedwards@sedwards.com">sedwards@sedwards.com</a> Voice: +1-760-468-3867 PST<br>
Newline Fax: +1-760-731-3000<br>
<br>
--<br>
_____________________________________________________________________<br>
</div><div><div></div><div class="h5">-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-biz mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-biz" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-biz</a><br>
</div></div></blockquote></div><br></div></div>