fail2ban is a very good idea, but check it every 2-3 days by your self. these days, upon our reporting blind scanning sip port(5060) on machines , is very public. I think selecting an undefined port for sip/iax/h323 , ... can save your time and money.
as our analyzing, securing the databases, reduces your risk about 40%, equal preventing brute-forces. best On Wed, Jul 27, 2011 at 1:34 AM, --[ UxBoD ]-- <[email protected]> wrote: > If you are using OSSEC here are some rules: > > <rule id="10000" level="5"> > <decoded_as>local-asterisk-denied</decoded_as> > <description>Asterisk Potentially Under Attack</description> > </rule> > > <rule id="10001" level="8" frequency="5" timeframe="10"> > <if_matched_sid>10000</if_matched_sid> > <same_source_ip /> > <description>Asterisk Under Brute Force Attack</description> > </rule> > > and for the local_decoder: > > <decoder name="local-asterisk-denied"> > <prematch>NOTICE[\d+] \S+: Registration from </prematch> > <regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+)'</regex> > <order>srcip</order> > </decoder> > > OSSEC can then use Active Response to block the IP using IPtables. > -- > Thanks, Phil > > ----- Original Message ----- > > > > > > > -----Original Message----- > > > From: [email protected] > > > [mailto:asterisk-users- > > > [email protected]] On Behalf Of Bryant Zimmerman > > > Sent: Tuesday, July 26, 2011 3:22 PM > > > To: Asterisk Users Mailing List - Non-Commercial Discussion > > > Subject: Re: [asterisk-users] file2ban > > > > > > I want to add an entry to a database every time a brute force > > > registration > > > attempt is done. > > > from this database we are updating cisco routers with our ban list > > > so our > > > entire network is protected. > > > The database side of things is working and has been for some time. > > > I really > > > would like to add the file2ban side of it to protect our asterisk > > > system > > > better. > > > > Look at the /etc/fail2ban/action.d/ Actions in the default config > > runs an iptables command to insert the ban into IPTables, but you > > can have it run most any command. > > > > > > -- > > _____________________________________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > New to Asterisk? Join us for a live introductory webinar every Thurs: > > http://www.asterisk.org/hello > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- Pezhman Lali
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
