On Dec 9, 2010, at 5:57 AM, Joe Greco wrote: > > > Hello, > > > > We had been seeing SIP-guessing attacks on our Asterisk server here. > > > > While it wasn't that hard to write a once-a-minute cron job to spank > > the lusers, that runs once a minute and creates little spikes in the > > usage and I/O graphs, and is slower to respond than I'd really prefer. > > I felt that it'd be much cooler to get something more comprehensive > > put together. We don't use fail2ban because I don't like having to > > install python. [snip]
For a while, I had been using a cron job that used perl to examine logs and ban ip. I shared the solution at http://bit.ly/cDHlLq. As attacks increased, I find the following very very good for asterisk stand alone solutions: -A INPUT -p udp --dport 5060 -m recent --name SIP --update --seconds 30 --hitcount 20 -j DROP -A INPUT -p udp --dport 5060 -m recent --name SIP --update --seconds 2 --hitcount 10 -j DROP -A INPUT -p udp --dport 5060 -m recent --name SIP --set For heavy traffic solutions, I find Kamailio's built in attack module to be fantastic. -- With best regards, Fred http://qxork.com -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
