Looks nice, might start using it Stefan :) Thanks.
Mitul On Friday, April 11, 2014, Stefan Gofferje <[email protected]> wrote: > Hi, > > in case, anyone is interested... > I have started compiling a blacklist of hosts and networks from which > SIP fraud attempts occur. > My criteria currently are: > > To block an IP: > - Minimum 3 attacks within one week from the same IP > To block a network: > - Attacks from minimum 3 IPs from that network within 2 weeks > Common criteria: > - Provider does not react to complaints OR > - Provider sends autoreply but attacks don't stop within a week > > Definition of attack: > - Minimum 5 attempts to make an unauthorized phone call to a > non-PBX-internal number OR > - Minimum 10 attempts to make an unauthorized phone call to a > PBX-internal number OR > - Minimum 10 failed authentication attempts > > If this happens, the IP gets auto-banned (iptables) for 24 hours and > goes to my watch list. The watch list is the base for my further decisions. > > Currently, I don't remove IPs or networks from the list. If I have time > and/or motivation I might create some kind of removal process later - > also, depending on how big the list gets and how many people use it. > > The list is yet pretty short but for me, it has reduced the noise on my > PBX from 20-30 attacks per day to about 2 or 3 per week, especially > after most of the Palestinian networks ended up on the list. > > You're free to use the list - own your own responsibility and risk. It's > in the ipdeny.com format, so a simple script can be used to CURL the > list and create iptables rules from it. A sample script for something > like that is also on my website (check the Linux section). > > That's the website for the list: > http://stefan.gofferje.net/it-stuff/sipfraud/sip-attacker-blacklist > > And that's the download URL: > http://stefan.gofferje.net/sipblocklist.zone > > Note that the list is updated every 6h so polling it more often doesn't > help anything. Please limit polling to once a day or so. > > -S > > -- > (o_ Stefan Gofferje | SCLT, MCP, CCSA > //\ Reg'd Linux User #247167 | VCP #2263 > V_/_ Heckler & Koch - the original point and click interface > > > -- Regards, Mitul Limbani, Chief Architech & Founder, Enterux Solutions Pvt. Ltd. 110 Reena Complex, Opp. Nathani Steel, Vidyavihar (W), Mumbai - 400 086. India http://www.enterux.com/ http://www.entvoice.com/ email: [email protected] DID: +91-22-71967196 Cell: +91-9820332422
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
