[asterisk-users] Is there a public blacklist of hackers' IPaddresses?

Dan Austin Dan_Austin at Phoenix.com
Thu Mar 26 11:04:28 CDT 2009


Gordon wrote:
> There are other more advanced things you can do with iptables which I've
> been looking at - but the esence is to count/time new connections to a
> particular service from each IP address and if more connections per unit
> of time happen, then apply a temporary block for a bigger period of time.

> This works for ssh when you know there are only a small number of people
> who might connect in, but for SIP, you need to check the timings
> carefully, although one thing I've had issues with is Snom phones which
> seem to be overly enthusiastic when the end-user has the wrong password in
> them - they keep trying to register 2 or 3 times a second )-:

I few years ago I noticed and quickly became annoyed by the volume
of dictionary attacks on my home server.  No one broke in, but the logs
were becoming useless.  Since installing it my logs are once again
readable, and I have a nice long list of naughty addresses in my
iptables DROP table.

I found a package called sshdfilter that can add and remove iptables rules
based on a number of conditions-
        1.  Invalid username - block immediately
        2.  Valid username w/invalid password - block after x attempts
It supports white-listing so that a slip of the finger does not lock
you out from a trusted host.

The setup is fairly simple and system load is minimal.  The package
works by parsing syslog messages, and it appears that it could be extended
to cover VoIP attacks, as long as the system is logging failed authentication
attempts.

Dan



More information about the asterisk-users mailing list