Re: [asterisk-users] Force ip disconnect after register?
"Bryant Zimmerman" writes: > Is there a way to force the connection to drop and reconnect after let's > say 50 attempts. Most firewalls have tools for removing specific connections from the connection table. Alternatively a switch to SIP/TCP might help, but I've never tried SIP/TCP with Asterisk so I don't really know what state it is in. /Benny -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Force ip disconnect after register?
On 09/13/2010 10:22 AM, Bryant Zimmerman wrote: > Is there a way to drop a ip connection to asterisk after a number of > register attempts. > > I have been having issues with hackers doing registration scanning > against our server. We block their address at the fire wall but since > asterisk does not force a drop of the connect after so many bad reg > attempts I can't enforce the block until they drop and try again. This > allows them to run the box with reg attempts as long as they maintain > their initial connection or I reset the state tables on the firewall. > This is very bad. Is there a way to force the connection to drop and > reconnect after let's say 50 attempts. Reconfigure your firewall to inspect every packet against the rules, instead of shortcutting 'open connections'; this takes more CPU on your firewall, but allows you to change the rules and drop existing connections. Alternatively, depending on how you've built your firewall, you can insert the 'drop all packets from X.X.X.X' *before* any rules that allow packets from existing connections. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA skype: kpfleming | jabber: kflem...@digium.com Check us out at www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Force ip disconnect after register?
On Mon, Sep 13, 2010 at 11:22:33AM -0400, Bryant Zimmerman wrote: > Is there a way to drop a ip connection to asterisk after a number of > register attempts. > > I have been having issues with hackers doing registration scanning against > our server. We block their address at the fire wall but since asterisk does > not force a drop of the connect after so many bad reg attempts I can't > enforce the block until they drop and try again. This allows them to run > the box with reg attempts as long as they maintain their initial connection > or I reset the state tables on the firewall. This is very bad. Is there a > way to force the connection to drop and reconnect after let's say 50 > attempts. Not an exact answer to your question, but if the attacker is using svwar (part of SIPVicious), setting alwaysauthreject=yes in sip.conf will make the probing stop after only TWO tries. svwar first tries registering a few longish, random extensions before it begins a sequential or dictionary scan, to see how you handle unknown extensions. With alwayauthreject set, svwar just gives up, complaining: "ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan." I still see 3-4 attempts per week from various sites, but now they stop after just two failed registration attempts. Saves lots of wear and tear on my DSL. I still run fail2ban, but after setting alwaysauthreject a few months ago nothing has passed its threshold. And nothing seems to have broken, either. -- Barry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Force ip disconnect after register?
On Mon, Sep 13, 2010 at 11:22:33AM -0400, Bryant Zimmerman wrote: >Is there a way to drop a ip connection to asterisk after a number of >register attempts. Consider writing a filter for fail2ban [http://www.fail2ban.org/] that works on the Asterisk logs? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Force ip disconnect after register?
On Mon, Sep 13, 2010 at 11:22 AM, Bryant Zimmerman wrote: > Is there a way to drop a ip connection to asterisk after a number of > register attempts. > Not within Asterisk. Google fail2ban -- Paul Belanger | dCAP Polybeacon | Consultant Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) blog.polybeacon.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Force ip disconnect after register?
Is there a way to drop a ip connection to asterisk after a number of register attempts. I have been having issues with hackers doing registration scanning against our server. We block their address at the fire wall but since asterisk does not force a drop of the connect after so many bad reg attempts I can't enforce the block until they drop and try again. This allows them to run the box with reg attempts as long as they maintain their initial connection or I reset the state tables on the firewall. This is very bad. Is there a way to force the connection to drop and reconnect after let's say 50 attempts. Thanks for any input. Bryant -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
