What about tying this to a program called denyhosts? It works great for banning systems that attempt connections via ssh. I doubt that it'd be terribly hard to integrate so that sip and iax2 could be blocked also. It also has the ability to share block lists among systems.
Darren Wiebe [email protected] John Todd wrote: > On Feb 27, 2009, at 1:04 PM, [email protected] wrote: > > >>>> I'd suggest to everyone to ban that IP, it's been scanning our >>>> networks >>>> from time to time, in a sequential manner by IP. >>>> >>> I've had really good luck with this: >>> >>> http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk >>> >>> Basically, it automatically blackhols via IPtables any host that >>> fails a >>> certain number of registration attempts in a given period. >>> >> Yeah we're actually rolling it out on all of our production servers, >> it's >> a great application to run. >> >> I'm working on some scripts to propagate the bans to the firewall so >> that >> all of the servers get protected as soon as possible. >> >> >>> [default] >>> ; Send any unauthenticated calls to the local FBI office >>> context=local-fbi-office >>> >>> I've got a honeypot server that pretty much accepts any calls that >>> come >>> through, and plays a "Thank you for calling the Telecommunications >>> Fraud >>> hotline. Please stay online for the next available representative." >>> If they >>> stay online for more than 20 seconds, it connects them to an agent >>> at the >>> FBI that we have been working with. >>> >>> I've been meaning to add some code in that pulls out the >>> originating IP >>> address of the call and tells it to the agent when we call. :) >>> >> That would be great to have! >> > > > > This sounds very much like the framework I discussed at the last > astridevcon in September. I've had no time to work on it, but it > sounds like you're already making progress. > > http://astridevcon.pbwiki.com/Network-Security-Framework > > Would you be interested in making your work more integral to Asterisk, > so that it can be a generic security policy model for all channel > methods, starting with SIP? Or is the scrape-from-logfile method > sufficient for your needs? > > JT > > > --- > John Todd email:[email protected] > Digium, Inc. | Asterisk Open Source Community Director > 445 Jan Davis Drive NW - Huntsville AL 35806 - USA > direct: +1-256-428-6083 http://www.digium.com/ > > > > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-biz mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-biz > _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
