[asterisk-users] The S word: Asterisk security
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Wed Jul 9 02:20:14 CDT 2008
On Tue, Jul 08, 2008 at 09:34:44PM -0700, Trevor Peirce wrote:
> Steve Totaro wrote:
> > For security, how about an authentication retry setting in the sip
> > configuration? After X amounts of failed auth or registration
> > attempts, block IP for Y amount of time. It would seem fairly easy to
> > do using realtime with DB entries for IP blocks and expiration. Then
> > a quick query of the same tables would allow an admin to put in
> > permanent rules on a firewall or ACL and also contact that ISP's abuse
> > dept.
>
> I was recently introduced to fail2ban. It's a nice tool that will watch
> log files and when it notices too many failed authentication attempts
> (SSH, FTP, Password protected web sites, asterisk) it will run an
> iptables or shorewall command to block the offending IP address for a
> certain amount of time.
>
> It also has the option to send an email to let me know when someone got
> themselves banned.
>
> I've found this tool to be quite handy.
>
> Really no need to reinvent the wheel by incorporating it's functionality
> into asterisk. Plus it's always better to block unwanted traffic before
> it even gets to the application.
One problem you have to remember: if you ban based on a single UDP
packet, you make it easy to anybody to cut off your trunks by sending a
packet with a false source IP address "from" your trunk.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list