Un-top-posting... > On 2010-06-24 1:03 PM, "bruce bruce" <[email protected]> wrote: > > What would be the other workaround other than fail2ban? what commands > should be run for IPTABLES to ban this IP from trying to register to > SIP?
On Thu, 24 Jun 2010, Zeeshan Zakaria wrote: > iptables -A INPUT -p TCP -s 87.230.90.5 --dport 5060 REJECT (I think you need a "-j" before the target.) If the connection is tcp. "s/TCP/UDP/" for udp. I'm a 1.2 Luddite, so TCP is not an issue for me. There are two problems with this approach. Using REJECT tells the attacker that he is being rejected. Very often, he will have access to a range of addresses (maybe a sub-set, maybe an entire class C) so he just tries again with another address. See http://en.wikipedia.org/wiki/Whack_a_mole If you change the target to DROP, your host discards the packet and no information is sent back to the attacker. sudo iptables\ --append INPUT\ --match udp\ --protocol udp\ --dport 5060\ --source 87.230.90.5\ --jump DROP Just because you are blocking SIP does not mean he will not try SSH, FTP, HTTP, Telnet... Using the very blunt sword of blocking the entire class [A|B|C] for all ports and protocols solves the problem for most attackers but can block legitimate users as well. sudo iptables\ --append INPUT\ --source 87.230.90.0/24\ --jump DROP >From my experience, a lot of attacks originate from countries I have no interest in receiving calls from, so I just block a lot (too many?) of class A addresses. Unfortunately, my web server and email server are on the same host, so I need to refine this approach a bit :) A better approach would be to specifically allow the IP addresses of the callers you expect, and drop everybody else. If you have multiple IP addresses (for example, a public and a private) on your Asterisk box, binding SIP, IAX, and the manager interface to the local address will also reduce your attack profile. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards [email protected] Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
