> -----Original Message----- > From: [email protected] [mailto:asterisk-users- > [email protected]] On Behalf Of Paul Dugas > Sent: Tuesday, April 05, 2011 4:38 PM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Subject: Re: [asterisk-users] Iptables configuration to handle brute,force > registrations? > > First, this appears to be working for me though I'm not 100% sure of > that and cannot guarantee it will for you in any way, shape or form. > With the lawyering out of the way... > > I've seen fail2ban allow more than 500 failed SIP login attempts in > under 30 seconds before adding an iptables rule to block the attacker. > Likely I have it configured wrong but lately, I've been tinkering > with iptables rules using the "recent" module as another layer of > defense. Relevant lines from /etc/sysconfig/iptables on my > CENTOS/Asterisk machine below... > <snip> [Danny Nicholas] I'm no expert, but as I see it, for fail2ban to work properly in a "heavy attack" environment, you MUST have your logs in realtime databases and preferably also roll them frequently. In "normal" Asterisk (as I use it), logs are written at the end of a call (not good for attack scenario unless attacks are quick and out) and in a heavy call environment, an attacker could make quite a bit of headway before the log could be processed. If you are "realtime" and rolling the logs hourly or so, fail2ban should work pretty well, but no guarantees.
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
