[asterisk-users] being bombarded with SIP packets
Per Jessen
per at computer.org
Thu Oct 28 06:06:20 CDT 2010
Norbert Zawodsky wrote:
> Per,
>
> (didn't want to be unfriendly to you !!!!!)
Not at all.
> As you say, "you don't like anything to modify your firewal". My
> words!
>
> Someone (don't remember who & when) on this list showed me a very
> clever trick (=iptables rule) to drop the packets if too many of them
> arrive within a given period of time. Works really great !!!!!
Yeah, I have a rule like that for SSH brute force attempts, and I
did also find one for the same thing for SIP.
> Do not exatly remember how it was done (and I don't have access to
> that machine at the moment to have a look).
> I remeber something like
> first using iptables module "string" to inspect the packet if it
> contains the string "REGISTER sip:"
> and then use an iptables "hash bucket" with a limit of x/second
This is what I found:
iptables -N sip-flood
iptables -A INPUT -p udp -m udp --dport 5060 -j sip-flood
iptables -A INPUT -p tcp -m tcp --dport 5060:5061 --syn -j sip-flood
iptables -A sip-flood -m recent --update --seconds 60 --hitcount 20 -j LOG --log-prefix "SIP bruteforce attempt: "
iptables -A sip-flood -m recent --rcheck --seconds 60 --hitcount 20 -j DROP
iptables -A sip-flood -m recent --set -j ACCEPT
/Per Jessen, Zürich
--
http://www.spamchek.com/ - your spam is our business.
More information about the asterisk-users
mailing list