[asterisk-users] The S word: Asterisk security
Trevor Peirce
tpeirce at digitalcon.ca
Wed Jul 9 09:29:10 CDT 2008
Tzafrir Cohen wrote:
> On Tue, Jul 08, 2008 at 09:34:44PM -0700, Trevor Peirce wrote:
>
>> I was recently introduced to fail2ban. It's a nice tool that will watch
>> log files and when it notices too many failed authentication attempts
>> (SSH, FTP, Password protected web sites, asterisk) it will run an
>> iptables or shorewall command to block the offending IP address for a
>> certain amount of time.
>>
> One problem you have to remember: if you ban based on a single UDP
> packet, you make it easy to anybody to cut off your trunks by sending a
> packet with a false source IP address "from" your trunk.
>
>
There are a few things you can to do solve that. You can whitelist
important addresses so they are not subject to being banned. Second, you
need X number of failed authentication attempts within Y minutes before
their IP is banned for Z minutes. Totally configurable. I don't believe
when it comes to banning an IP that asterisk could do any better if it
were to have it's own code verses using an existing tool like this one.
I'm not saying everyone should go out use fail2ban today. My post was in
response to the idea Steve had posted explaining that this can already
be implemented today without the need for changes in asterisk.
Trevor
More information about the asterisk-users
mailing list