[asterisk-users] being bombarded with SIP packets
Jeremy Kister
asterisk-01 at jeremykister.com
Thu Oct 28 15:30:02 CDT 2010
On 10/28/2010 3:41 AM, Per Jessen wrote:
> 2) if you've got some iptables rules for limiting inbound SIP by rate?
exactly what i was going through; here's how i reacted (throttles both
SSH and SIP Register:
First, I completely blocked all non-North American & Amazon EC2 networks
- I won't be registering my sip phone in Nigeria nor from within EC2*
any time soon. Then in my iptables startup script:
iptables -N THROTTLE
iptables -A INPUT -i eth0 -p udp --dport 5060 \
-m string --string "REGISTER sip:" --algo bm --to 65 -j THROTTLE
iptables -A INPUT -i eth0 -p tcp --dport 22 \
-m state --state NEW -j THROTTLE
iptables -A THROTTLE -m recent --set --name ABUSE
iptables -A THROTTLE -m recent --update --seconds 86400 \
--hitcount 15 --name ABUSE -j LOG $LOGOPTS "$PRE"h15_
iptables -A THROTTLE -m recent --rcheck --seconds 86400 \
--hitcount 15 --name ABUSE -j DROP
iptables -A THROTTLE -m recent --update --seconds 3600 \
--hitcount 12 --name ABUSE -j LOG $LOGOPTS "$PRE"h12_
iptables -A THROTTLE -m recent --rcheck --seconds 3600 \
--hitcount 12 --name ABUSE -j DROP
iptables -A THROTTLE -m recent --update --seconds 60 \
--hitcount 6 --name ABUSE -j LOG $LOGOPTS "$PRE"h6_
iptables -A THROTTLE -m recent --rcheck --seconds 60 \
--hitcount 6 --name ABUSE -j DROP
iptables -A INPUT -i eth0 -p udp --dport 5060 \
--sport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 \
--sport 1024:65535 -j ACCEPT
Note that some SIP clients send more than one register per startup --
e.g.: Siphon on the iPhone registers without credentials first, asterisk
sends back "unauthorized", then Siphone tries again with the configured
username and password.
For exactly how i'm using it:
mkdir /usr/local/script
cd /usr/local/script
wget http://jeremy.kister.net/code/iptables/make-non-na.pl
wget http://jeremy.kister.net/code/iptables/iptables.init
mv iptables.init /etc/init.d/iptables
# vi iptables
# change the MYLAN to your lan network
# change the RDPRANGE to the range defined in /etc/asterisk/rdp.conf
ln -s /etc/init.d/iptables /etc/rc2.d/iptables
ln -s /etc/init.d/iptables /etc/rc3.d/iptables
crontab -e
# put in something to run the make-non-na.pl run once per week
/usr/local/script/make-non-na.pl
/etc/init.d/iptables start
* = if you use the Acrobits softphone, you'll need to let EC2 through
for push notifications. Currently, I just put 184.72.221.84 in the
siprtp section of the iptables script.
--
Jeremy Kister
http://jeremy.kister.net./
More information about the asterisk-users
mailing list