[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny
Gordon Henderson
gordon+asterisk at drogon.net
Mon Aug 30 14:23:36 CDT 2010
On Mon, 30 Aug 2010, J. Oquendo wrote:
> How about a little cron script without having to install anything? You
> could run it off the hour:
>
> rightnow=`date "+%Y-%m-%d %k"`
>
> grep $rightnow /var/log/asterisk/messages |\
> awk '/No matching peer/' | sed's:'\''::g' |\
> uniq | awk '{print "iptables -A INPUT -s "$1" -j DROP"}'| sh
Your script is fine, but I think you are missing the point I made which is
that early versions of sipvicious are badly broken in that they will
continue to send their attacks for days after you firewall them out.
I also posted a very effective iptables script some weeks ago if you care
to search the archives. It works and is extremely effective in blocking
these types of attacks - however, it will not stop a broken sipvicious
from continuing to send data to your server, and that's the issue I have
at present.
Any attacking site is trivial to firewall out once you've detected it, but
firewalling it out is not going to protect you or your customers from the
incoming data if you have to pay for it, or have a capped Internet
connection, and the attacking site doesn't give up, even when it's
firewalled.
A typical setup I might use for a customer in the UK is to set them up
with an ADSL service with a 15GB/month cap. That's OK for a small office,
or a bigger one with a line dedicated to VoIP. The attack I posted about
earlier used up nearly 15GB of data in 3 days. Fortunately most of it was
off-peak/weekend when it's unmetered. I arranged for their router to drop
the packets, but the ISP still counted them.
Try it for yourself - get an early copy of SV, point it at one of your
servers, then firewall the server against your attacking machine.
svcrack.py will not give up.
What your script needs to do is not only get the IP address, but also the
calling port, then launch an svcrash against that site...
... and hope that the hackers aren't getting clever and putting svcrack in
a script that automatically re-starts it... (which I think some of them
are now)
Gordon
More information about the asterisk-users
mailing list