[asterisk-users] Force ip disconnect after register?
Barry Miller
asterisk-users at notanet.net
Mon Sep 13 11:38:58 CDT 2010
On Mon, Sep 13, 2010 at 11:22:33AM -0400, Bryant Zimmerman wrote:
> Is there a way to drop a ip connection to asterisk after a number of
> register attempts.
>
> I have been having issues with hackers doing registration scanning against
> our server. We block their address at the fire wall but since asterisk does
> not force a drop of the connect after so many bad reg attempts I can't
> enforce the block until they drop and try again. This allows them to run
> the box with reg attempts as long as they maintain their initial connection
> or I reset the state tables on the firewall. This is very bad. Is there a
> way to force the connection to drop and reconnect after let's say 50
> attempts.
Not an exact answer to your question, but if the attacker is using svwar
(part of SIPVicious), setting alwaysauthreject=yes in sip.conf will make
the probing stop after only TWO tries. svwar first tries registering a
few longish, random extensions before it begins a sequential or dictionary
scan, to see how you handle unknown extensions. With alwayauthreject set,
svwar just gives up, complaining:
"ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan."
I still see 3-4 attempts per week from various sites, but now they stop
after just two failed registration attempts. Saves lots of wear and tear
on my DSL. I still run fail2ban, but after setting alwaysauthreject a
few months ago nothing has passed its threshold. And nothing seems to
have broken, either.
--
Barry
More information about the asterisk-users
mailing list