On 4/5/2011 4:38 PM, Paul Dugas wrote: > First, this appears to be working for me though I'm not 100% sure of > that and cannot guarantee it will for you in any way, shape or form. > With the lawyering out of the way... > > I've seen fail2ban allow more than 500 failed SIP login attempts in > under 30 seconds before adding an iptables rule to block the attacker. > Likely I have it configured wrong but lately, I've been tinkering > with iptables rules using the "recent" module as another layer of > defense. Relevant lines from /etc/sysconfig/iptables on my > CENTOS/Asterisk machine below... > > -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m > recent --set --name SIP > -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m > recent --rcheck --name SIP --seconds 600 --hitcount 20 --rttl -j > DROP > -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m > recent --rcheck --name SIP --seconds 300 --hitcount 10 --rttl -j > DROP > -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m > recent --rcheck --name SIP --seconds 180 --hitcount 5 --rttl -j > DROP > -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m > recent --rcheck --name SIP --seconds 60 --hitcount 3 --rttl -j > DROP > -A RH-Firewall-1-INPUT -p udp --dport 5060 -j ACCEPT > > This blocks the attacker when too many new SIP connections happen in > too short a period of time. I think fail2ban will now never sees > enough failed logins to fire off a response. > > $0.02 >
That was completely worth the $0.02, here's a nickel & keep the change! ;-) Cheers mate, thanks for sharing with the community :) -- Sherwood McGowan <sherwood.mcgo...@gmail.com> Carrier, ITSP, Call Center, and PBX Solutions Consultant -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users