[asterisk-users] stopping unwanted attempts

Chris Bagnall asterisk at lists.minotaur.cc
Sun Jan 19 09:39:51 CST 2014


On 19/1/14 2:57 pm, Ron Wheeler wrote:
> fail2ban is so easy to set up, there is no reason not to set it up.

One of the dangers with fail2ban - at least in its default configuration 
- is that a legitimate SIP phone with an incorrect password can quite 
easily send dozens of registration attempts in a couple of minutes, thus 
blocking that IP.

If your end users configure their own phones, you will have to factor in 
the increased support burden when users complain that their phones 
'can't connect' and you need to manually unblock those IPs. This can be 
at least partially mitigated using fail2ban's 'ignoreip' directive for 
IPs you know only your users will be connecting from.

If you've a large number of users, it might be worth splitting them 
across a pair of servers - one for 'trusted' users, i.e. where each SIP 
endpoint is locked down to a specific IP (or at least a range), and you 
can configure your firewall to block SIP connection attempts from 
anything apart from that list; and one for 'untrusted' users, i.e. 
travelling users, home workers without static IPs, etc. on which you run 
fail2ban with a fairly ruthless set of rules/limits.

Unless you know that none of your users travel internationally, I'd be 
wary of imposing countrywide IP blocks, especially in this era of IP 
shortage where IP space is being traded on the open market and GeoIP 
databases may not always keep up to date.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons



More information about the asterisk-users mailing list