Hi All, I must say that there are many ways to detect password attack cause this information actually goes into logs and it's possible to analyze them. Couple of hours thinking + day or 2 creating gives a really nice result. Bad thing is that by the time someone will start guessing password with dictionary attack or brute force (it doesn't matter) he already knows what is the account name/ID.
All this leads me to question which is (from my point of view) a bit more important. Is there any way to detect SIP/IAX account guessing without actually dumping UDP flow ? I tried some _hacking_ tools and these create only some logs in debug mode. Using debug is not always an option cause in some cases it creates ~5MB log in a minute - such flow is quite impossible to handle. Does anyone have any experience catching account guessing attempts automatically ? Any kind of ideas would be wonderful :) thx a lot, -- razu On 11/18/2009 10:01 PM, Ioan Indreias wrote: > Hello Xavier, > > Unfortunately we are not aware of any Asterisk configuration which > will protect against of a brute force attack on SIP. > > We use BFD - http://www.rfxn.com/projects/brute-force-detection/ . > > We have found first details here: http://engineertim.com/?cat=15 and > we are currently maintaining 4 rules (SIP and IAX) . All of them could > be downloaded from > here: http://www.modulo.ro/Modulo/downloads/tools/tenora.bfd.tar.gz > > We have tried to document the installation of BFD on an Asterisk > server > here: > http://www.modulo.ro/Modulo/ro/Articole/Securitate_pentru_servere_Asterisk.html > (in > Romanian) > > > HTH, > Ioan (Nini) Indreias > www.modulo.ro <http://www.modulo.ro> > > > On Mon, Nov 16, 2009 at 7:24 PM, TDF <[email protected] > <mailto:[email protected]>> wrote: > > fail2ban > > > http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk > > > 2009/11/16 Xavier Mesquida <[email protected] > <mailto:[email protected]>> > > Has Asterisk any protection against brute force attack for SIP > authentication? > Something like a maximum login attempt limit > Thanks > > > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
_______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
