With CRON or as an init.d you can do many things... http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ#116
~ Andrew "lathama" Latham lath...@gmail.com * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software * Learn more about Linux http://en.wikipedia.org/wiki/Linux * Learn more about Tux http://en.wikipedia.org/wiki/Tux On Thu, Oct 21, 2010 at 12:54 PM, Jeff LaCoursiere <j...@sunfone.com> wrote: > > On Thu, 21 Oct 2010, Steve Howes wrote: > >> Hi, >> >> Given the recent increase in SIP brute force attacks, I've had a little >> idea. >> >> The standard scripts that block after X attempts work well to prevent >> you actually being compromised, but once you've been 'found' then the >> attempts seem to keep coming for quite some time. Older versions of >> sipvicious don't appear to stop once you start sending un-reachables (or >> straight drops). Now this isn't a problem for Asterisk, but it does add >> up in (noticeable) bandwidth costs - and for people running on lower >> bandwidth connections. The tool to crash sipvicious can help this, but >> very few attackers seem to obey it.. >> >> The only way I can see to alleviate this, is to blacklist hows *before* >> they attack. This means you wont ever be targeted past an initial scan. >> >> Is there any interest in a 'shared' blacklist (similar to spam >> blacklists, but obviously implemented in a way that is more usable with >> Asterisk/iptables)?. Clearly it raises issues about false positives etc, >> but requiring reports from more than X hosts should alleviate this. >> There's all the usual de-listing / false-listing worries as with any >> blacklist, but the SMTP world has solutions we could learn from. >> >> Leaving a 'honeypot' running on a single IP address has revealed a few >> hundred addresses in less than a month. I am fairly certain these are >> all 'bad' as this host isn't used for anything else. There is obviously >> a wealth of data (and attacks) out there that would be good to share. >> >> Anyone have any thoughts? >> >> S >> -- > > I'll subscribe, that is for sure. What is the best way to dist the > blacklist? iptables include file? Or something more integrated to > asterisk... just thinking off the top of my head that a module that vetted > inbound connections against an external list would be a very cool thing. > > j > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users