On Jun 3, 2010, at 9:53 AM, Dan Ryson wrote: > On 5/17/2010 11:50 AM, Darrick Hartman wrote: >> The AstLinux development team is happy to announce the release of 0.7.2. >> This is a bugfix release. All current AstLinux users are encouraged >> to upgrade to this release. >> >> [snip for brevity] >> >> >> New features/updates: >> >> 1). A plugin for Arno's firewall which allows some capability to prevent >> SIP account attacks. >> >> [snip] >> >> > All, > > Because SIP account attacks are a regular occurrence here, I wish to be > certain that I've properly configured feature #1, mentioned above. I've > enabled the IDS Protection plug in, which looked to be new and (according to > the log) is occasionally blocking some sort of attack. I've also not > observed any SIP attacks lately so it would seem that the IDS Protection plug > in is helping to block SIP account attacks. However, I hate to assume. > > Can anyone confirm my presumption or provide instructions on how to utilize > this new feature? > > Thanks for any insight. > > Dan
While the IDS Protection plugin may be useful, the new plugin Darrick was referring to is the "Adaptive Ban Plugin". If you have not restarted the firewall (and then upgraded, following the prompt) via the web interface, please do... or "upgrade-arno-firewall upgrade" from the CLI. Of course, any changes to the plugins requires a restart of the firewall to take effect. The new Adaptive Ban plugin uses the same technique as fail2ban ( http://www.fail2ban.org ). While this technique is proven, our implementation as a plugin to the Arno Firewall is new, so users are encouraged to give it a try. Please report any problems... and successes :-) To show we eat our own cooking, below is my Adaptive Ban plugin setting on my production boxes. Lonnie --- snip --- # ------------------------------------------------------------------------------ # -= Arno's iptables firewall - Adaptive Ban plugin =- # ------------------------------------------------------------------------------ # To actually enable this plugin make ENABLED=1: # ------------------------------------------------------------------------------ ENABLED=1 # Log file where failed access attempts are derived # ------------------------------------------------------------------------------ ADAPTIVE_BAN_FILE="/var/log/messages" # The time in seconds between each iteration of analyzing the log file # ------------------------------------------------------------------------------ ADAPTIVE_BAN_TIME=90 # The number of log failures to ban host # ------------------------------------------------------------------------------ ADAPTIVE_BAN_COUNT=6 # A list of analysis types that are applied # Choose from: sshd asterisk mini_httpd # ------------------------------------------------------------------------------ ADAPTIVE_BAN_TYPES="asterisk" # By default, inbound packets from banned IP addresses will be silently DROP'ed # As an option, the packets can be REJECT'ed instead of being DROP'ed # Define ADAPTIVE_BAN_REJECT=1 for an ICMP error message to be returned # ------------------------------------------------------------------------------ ADAPTIVE_BAN_REJECT=1 # Bt default, INTERNAL (LAN) networks will be whitelisted against banning # As an option, this automatic whitelisting can be disabled # Define ADAPTIVE_BAN_WHITELIST_INTERNAL=0 to disable INTERNAL whitelisting # ------------------------------------------------------------------------------ ADAPTIVE_BAN_WHITELIST_INTERNAL=1 # Whitelist Hosts # A list of IP addresses whose traffic will never be banned # ------------------------------------------------------------------------------ ADAPTIVE_BAN_WHITELIST="" --- snip --- ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
