[asterisk-users] A new hack?

Tom Browning ttbrowning at gmail.com
Fri Dec 2 19:03:38 CST 2011


On Fri, Dec 2, 2011 at 12:44 PM, Steve Edwards
<asterisk.org at sedwards.com> wrote:
> Gordon (based on my understanding of his posts) does a lot of Asterisk
> systems on very limited hardware hosts. His approach uses iptables features
> to limit the number of SIP INVITES and REGISTERS per second per IP address.

A very narrow solution to a fairly narrow attack surface and surely
isn't applicable to any medium to large scale solutions.

> Thus, Gordon's approach is more responsive (since it doesn't require
> periodic log file scanning) and requires less hardware resources (since it
> doesn't depend on running relatively 'slothish' resource intensive script
> interpreters like Perl or PHP periodically).

So Fail2Ban is inefficient on how it reads log files?  If so, that
could be an informed criticism of Fail2Ban.

> Personally, I find any approach that tracks log files 'hackish' but if you
> centralize your logging (which I always do) it does allow you to detect
> patterns of abuse across multiple hosts.

Others would say that not using IPS/IDS/adaptive sec appliances is
hackish but I'm not one of those.

There are very efficient ways to read log files even with Perl on
hardware no bigger than my Dockstar when coded properly, so "reading
log files" isn't hackish.

Looking at advanced threats that are encrypted or otherwise located
within legitimately large streams of UDP and TCP traffic are not going
to lend themselves to some simpleton IP/port/rate iptables rule or
even more complex iptables view into the data.

The application log might be the ONLY place to correlate events.  Good
luck doing that with iptables alone.



More information about the asterisk-users mailing list