[asterisk-users] Brute force attacks
Tim Nelson
tnelson at rockbochs.com
Fri Jul 2 11:54:27 CDT 2010
----- "A J Stiles" <asterisk_list at earthshod.co.uk> wrote:
> On Friday 02 Jul 2010, Ira wrote:
> > At 11:14 PM 7/1/2010, you wrote:
> > >Same activity from these IPs:
> > >174.129.137.135
> >
> > Given that my Asterisk box is used for nothing but Asterisk and I
> > know the small number of IPs that need to have access is there an
> > easy way to use iptables to block everything but those 6 IPs and
> > provider addresses?
>
> Yes, dead easy! Just configure iptables to accept IAX traffic (TCP
> and UDP
> port 4569) only from trusted IP addresses, and drop it from anywhere
> else.
> Here I am assuming eth0 is the "outside" connection, and the permitted
> IP
> addresses are 10.11.12.13 and 10.11.12.14.
>
> # accept IAX traffic (port 4569) from 10.11.12.13
> iptables -A FORWARD -s 10.11.12.13/32 -i eth0 -p tcp -m tcp --dport
> 4569 -j
> ACCEPT
> iptables -A FORWARD -s 10.11.12.13/32 -i eth0 -p udp -m udp --dport
> 4569 -j
> ACCEPT
> # accept IAX traffic (port 4569) from 10.11.12.14
> iptables -A FORWARD -s 10.11.12.14/32 -i eth0 -p tcp -m tcp --dport
> 4569 -j
> ACCEPT
> iptables -A FORWARD -s 10.11.12.14/32 -i eth0 -p udp -m udp --dport
> 4569 -j
> ACCEPT
> # drop all other IAX traffic
> iptables -A FORWARD -i eth0 -p udp -m udp --dport 4569 -j DROP
> iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 4569 -j DROP
>
> Obviously if the "permitted" connection addresses fall neatly into a
> block,
> you can use fewer rules :) If there are a few addresses in the block
> that
> shouldn't be permitted, put one or more DROP rules first for those
> addresses,
> then an ACCEPT rule for (the rest of) the block, then another DROP
> rule.
>
IAX is UDP only, not TCP. Also, what if he's using SIP (UDP/5060) for connectivity to the outside world? He'll need rules for this, in addition to RTP media (typically UDP/10000-20000)...
--Tim
More information about the asterisk-users
mailing list