On 04/12/2013 12:34 AM, S. Dale Morrey wrote:
> Hello pluggers,
>
> Still working with through issues with a system I'm building and was
> wondering if anyone has had experience with fail2ban. Specifically I would
> like to rate limit failed SIP login attempts, but not necessarily ban
> them. It seems like a lot of PBX in a box type solutions use fail2ban,
> with no really clear explanation of how or why it's being used.
>
> Can anyone elaborate on this and whether or not this tool is the correct
> choice if all I want to do is rate limit failed attempts on SIP? Also does
> this need iptables to function, or can it work standalone.
The Internet is a dangerous place to put a SIP server. There are a lot
of miscreants out there looking to commit fraud with you as the victim.
Here's an example of the most recent attempt from my logs:
INVITE sip:[email protected]
From: sip:[email protected]
To: sip:[email protected]
IP: 137.117.68.91
Call-ID: be030c5ab857186708d888f973da423a
If you are accepting SIP connections from the Internet, I would strongly
advise you to install a SIP proxy in front of your PBX. My personal
recommendation would be Kamailio[1] with the Pike module[2]. Kamailio is
so amazingly efficient at handling these attacks.
I also suggest a naive, but effective, iptables rule to block the most
common SIP scanner out there.
iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string
'friendly-scanner' -j DROP
Corey
1. http://www.kamailio.org/w/
2. http://www.kamailio.org/docs/modules/4.1.x/modules/pike.html
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
