On Fri, Dec 2, 2011 at 12:44 PM, Steve Edwards <asterisk....@sedwards.com> wrote: > Gordon (based on my understanding of his posts) does a lot of Asterisk > systems on very limited hardware hosts. His approach uses iptables features > to limit the number of SIP INVITES and REGISTERS per second per IP address.
A very narrow solution to a fairly narrow attack surface and surely isn't applicable to any medium to large scale solutions. > Thus, Gordon's approach is more responsive (since it doesn't require > periodic log file scanning) and requires less hardware resources (since it > doesn't depend on running relatively 'slothish' resource intensive script > interpreters like Perl or PHP periodically). So Fail2Ban is inefficient on how it reads log files? If so, that could be an informed criticism of Fail2Ban. > Personally, I find any approach that tracks log files 'hackish' but if you > centralize your logging (which I always do) it does allow you to detect > patterns of abuse across multiple hosts. Others would say that not using IPS/IDS/adaptive sec appliances is hackish but I'm not one of those. There are very efficient ways to read log files even with Perl on hardware no bigger than my Dockstar when coded properly, so "reading log files" isn't hackish. Looking at advanced threats that are encrypted or otherwise located within legitimately large streams of UDP and TCP traffic are not going to lend themselves to some simpleton IP/port/rate iptables rule or even more complex iptables view into the data. The application log might be the ONLY place to correlate events. Good luck doing that with iptables alone. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users