Darrick Hartman (lists) wrote: > Michael Keuter wrote: > >>>>> -Philip >>>>> >>>> A problem in Astlinux is, that before you can add an attacker to the >>>> blocklist (when you see the attacks in realtime), the "/var/" >>>> partition will be full within 2-3 minutes just because of the growing >>>> syslog :-(. And from that point in time you do not have any logs at >>>> all. Is there a way that the rotated log can automatically zipped? >>>> >>> You can set Arno's firewall not to log blocked attacks. That is an option. >>> >>> -- >>> Darrick Hartman >>> >> Hi Darrick, >> >> I know that, but when the attack starts (and you don't see the attack >> live) you don't know the attacker IP-address. Then the log messages >> are coming from Asterisk. And within 2-3 minutes /var/ is full by the >> log messages of Asterisk (not by the firewall). >> > > Two ways around that. > > 1). If you have enough system ram, you can set the size of the var > partition in the rc.conf file to a larger size. > > 2). Only allow SIP access from the IP addresses that you need to allow. > Instead of having a wide-open port 5060, only accept SIP traffic from > the IP addresses of your VOIP provider. > > Of course, if you're allowing anonymous calls into your Asterisk system, > you can't do #2. > > Darrick >
Michael: The outstanding news is that anyone can contribute to Arno's Iptables Firewall, including you. :-) Seriously though, it shouldn't be too hard to take /usr/share/arno-iptables-firewall/plugins/50ssh-brute-force-protection.plugin (or whatever it's called) and tweak it to do the same sort of rate-limiting with UDP traffic to port 5060 (or 5060-5064 or whatever). Try doing that... getting it working, and we can see about submitting it to Arno as part of the user contributed list of plugins. He's very receptive. :-) -Philip ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
