Norbert Zawodsky wrote: > Per, > > (didn't want to be unfriendly to you !!!!!)
Not at all. > As you say, "you don't like anything to modify your firewal". My > words! > > Someone (don't remember who & when) on this list showed me a very > clever trick (=iptables rule) to drop the packets if too many of them > arrive within a given period of time. Works really great !!!!! Yeah, I have a rule like that for SSH brute force attempts, and I did also find one for the same thing for SIP. > Do not exatly remember how it was done (and I don't have access to > that machine at the moment to have a look). > I remeber something like > first using iptables module "string" to inspect the packet if it > contains the string "REGISTER sip:" > and then use an iptables "hash bucket" with a limit of x/second This is what I found: iptables -N sip-flood iptables -A INPUT -p udp -m udp --dport 5060 -j sip-flood iptables -A INPUT -p tcp -m tcp --dport 5060:5061 --syn -j sip-flood iptables -A sip-flood -m recent --update --seconds 60 --hitcount 20 -j LOG --log-prefix "SIP bruteforce attempt: " iptables -A sip-flood -m recent --rcheck --seconds 60 --hitcount 20 -j DROP iptables -A sip-flood -m recent --set -j ACCEPT /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
