[asterisk-users] Asterisk SIP attacks and sshguard
Fred Posner
fred at teamforrest.com
Thu Dec 9 14:34:19 UTC 2010
On Dec 9, 2010, at 5:57 AM, Joe Greco wrote:
>
> > Hello,
> >
> > We had been seeing SIP-guessing attacks on our Asterisk server here.
> >
> > While it wasn't that hard to write a once-a-minute cron job to spank
> > the lusers, that runs once a minute and creates little spikes in the
> > usage and I/O graphs, and is slower to respond than I'd really prefer.
> > I felt that it'd be much cooler to get something more comprehensive
> > put together. We don't use fail2ban because I don't like having to
> > install python. [snip]
For a while, I had been using a cron job that used perl to examine logs
and ban ip. I shared the solution at http://bit.ly/cDHlLq.
As attacks increased, I find the following very very good for asterisk
stand alone solutions:
-A INPUT -p udp --dport 5060 -m recent --name SIP --update --seconds 30
--hitcount 20 -j DROP
-A INPUT -p udp --dport 5060 -m recent --name SIP --update --seconds 2
--hitcount 10 -j DROP
-A INPUT -p udp --dport 5060 -m recent --name SIP --set
For heavy traffic solutions, I find Kamailio's built in attack module to
be fantastic.
--
With best regards,
Fred
http://qxork.com
More information about the asterisk-users
mailing list