[asterisk-users] A new hack?

Steve Edwards asterisk.org at sedwards.com
Mon Dec 5 20:51:24 CST 2011 

(This horse just won't stay dead...)

My apologies if I mis-attribute who wrote what.

> On Fri, Dec 2, 2011 at 11:35 AM, Jim Lucas <lists at cmsws.com> wrote:

>> How is using Fail2Ban less resource intensive then me writing (by hand) 
>> iptable rules?

On Mon, 5 Dec 2011, C F wrote:

> Sorry I wasnt very clear in my first writing, I'll try to clarify. Using 
> iptables only detects one type of attack (aggressive connections). While 
> his machines might be secure enough to allow any other attacks and still 
> not compromise his machine, iptables will still allow them thru and 
> therefore the attack will be using his bandwidth/resources, with f2b one 
> can add as many rules as/when they arrive.

I think you are over-generalizing.

You can write iptables rules to detect and respond to many types of 
attacks.

Since F2B is just an automated front end to iptables you can have as many 
rules as you need with or without F2B. Also, since packets are 'stopped' 
at the same place (iptables) any bandwidth savings would only be to 
services that you are running that either aren't or can't* be nailed down.

>> Also, since both methods involve the use of iptables, where exactly is 
>> the bandwidth savings?

> In detection.

How about 'in responding to an attack your iptables rules don't already 
mitigate and you do have F2B rules defined for?' 'Detecting' an attack 
means close to nothing if you don't respond to it :)

I'm not hating on F2B, it's just not a silver bullet nor is it appropriate 
for all environments.

Your security needs depends on your environment. At this point in time, 
all of the hosts I manage for my clients exist in very limited 
environments and have very small attack surfaces. They are racked in 
secure data centers. They only accept SIP from clients with static IP 
addresses that we have an existing business relationship with. They only 
accept SSH connections from me. They only accept HTTP connections from me 
and my boss. That's about it. I don't see where F2B adds much value for 
me.

*) Lots of admins think they can't limit access to servers because they 
have 'mobile' users. Your users probably don't need to access your servers 
from every single place on the Internet. If your users don't come from 
China, North Korea, Iran, etc, you can block entire regions with a few 
rules and eliminate 80% of probes and attacks from reaching your servers 
in the first place. Apologies in advance if you happen to live in some of 
these regions -- feel free to `s/China, North Korea, Iran/United States, 
Canada, England/g`

-- 
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards       sedwards at sedwards.com      Voice: +1-760-468-3867 PST
Newline                                              Fax: +1-760-731-3000

More information about the asterisk-users mailing list