Thank you all for your support, your suggestions are welcome. Thanks,
On Thu, Sep 4, 2014 at 9:26 AM, Chris Bagnall <[email protected]> wrote: > On 4/9/14 4:58 pm, Eric Wieling wrote: > >> If we don't need to allow access from outside the USA we block access >> from all non-ARIN IP addresses by using iptables. This takes care of at >> least 80% of attacks. >> > > Likewise here (though RIPE rather than ARIN, since we're the other side of > the pond). > > You can also take it a bit further: if, for example, you know what ISP(s) > your dynamic clients are using, you can limit connections to the IP ranges > those ISP(s) use - look up their ranges on he.net's BGP looking glass if > you need to find out what ranges they're using. > > Another thing I've been playing with of late is using iptables' string > matching functionality to block user agents of known attack vectors: > 'sipcli', 'sipvicious', 'friendly-scanner', etc. > > This seems to work remarkably well, though what impact it has on net > performance under load remains to be seen. > > Kind regards, > > Chris > -- > This email is made from 100% recycled electrons > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
