On Tue, Jul 08, 2008 at 09:34:44PM -0700, Trevor Peirce wrote:
> Steve Totaro wrote:
> > For security, how about an authentication retry setting in the sip
> > configuration? After X amounts of failed auth or registration
> > attempts, block IP for Y amount of time. It would seem fairly easy to
> > do using realtime with DB entries for IP blocks and expiration. Then
> > a quick query of the same tables would allow an admin to put in
> > permanent rules on a firewall or ACL and also contact that ISP's abuse
> > dept.
>
> I was recently introduced to fail2ban. It's a nice tool that will watch
> log files and when it notices too many failed authentication attempts
> (SSH, FTP, Password protected web sites, asterisk) it will run an
> iptables or shorewall command to block the offending IP address for a
> certain amount of time.
>
> It also has the option to send an email to let me know when someone got
> themselves banned.
>
> I've found this tool to be quite handy.
>
> Really no need to reinvent the wheel by incorporating it's functionality
> into asterisk. Plus it's always better to block unwanted traffic before
> it even gets to the application.
One problem you have to remember: if you ban based on a single UDP
packet, you make it easy to anybody to cut off your trunks by sending a
packet with a false source IP address "from" your trunk.
--
Tzafrir Cohen
icq#16849755 jabber:[EMAIL PROTECTED]
+972-50-7952406 mailto:[EMAIL PROTECTED]
http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
AstriCon 2008 - September 22 - 25 Phoenix, Arizona
Register Now: http://www.astricon.net
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
