On Mar 16, 2009, at 8:18 PM, John Todd wrote: > > [Phil and Cyril - the quick synopsis here is that Asterisk systems are > being hit with some frequency with brute-force SIP password or > extension guessing attacks. Asterisk can output logfiles (non- > customizable) of failures.] > > JR and I had been having parts of this conversation off-line, but it's > probably worth bringing it up here. > > I am of the opinion that a "blacklist" is probably useful for some > people, as an optional method to automatically configure certain > firewall filters or other ACLs which would deny certain IP addresses > from reaching the SIP stack. This could be triggered by quantity of > requests within a certain time period, or number of failures, or > whatever. In fact, there are people who have configured Fail2Ban > already to serve locally as a prophylactic for their own machines. > JR's point is that there would optimally be some distributed mechanism > which would serve to collect the IP addresses as reported by a wide > variety of endpoints, such that badly acting IP addresses would be > denied even the first step in blocking.
My biggest concern is how do we handle issues such as an incorrectly configured client set to attempt to reconnect causing false positives, this seems it would be fairly common. Is there any way we can work to make it depend on failures using different passwords to cause a ban only, instead of any sort of retry causing a ban (outside of more obvious dos attacks) Mike _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
