Re: [asterisk-users] asterisk and fail2ban
On Wed, 30 Mar 2011, Terry Brummell wrote: Yah, sounds simple, how do you set it up to do this? Fail2Ban was pretty easy, if it's that easy, why was F2B even created? It's easy for me because I read an undestand how things work, and deal with Linux firewalling in a daily basis. Fail2ban is an (almost) drop-in solution which requires minimal thinking - just a few lines in a config file to edit. (and python which I don't have installed on my systems) Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
Back to the original question, for those of you using Fail2Ban, Does it take an unusually high amount of break-in attempts before attackers are banned? I have it set to 5 attempts in fail2ban but usually, the attacker is able to make over 100 attempts before fail2ban bans them. I've tried this using asterisk's /var/log/asterisk/messages and /var/log/messages with same results. Perhaps someone else is experiencing this or has resolved it, thank you. On Thu, Mar 31, 2011 at 4:05 AM, Gordon Henderson gordon+aster...@drogon.net wrote: On Wed, 30 Mar 2011, Terry Brummell wrote: Yah, sounds simple, how do you set it up to do this? Fail2Ban was pretty easy, if it's that easy, why was F2B even created? It's easy for me because I read an undestand how things work, and deal with Linux firewalling in a daily basis. Fail2ban is an (almost) drop-in solution which requires minimal thinking - just a few lines in a config file to edit. (and python which I don't have installed on my systems) Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
Your delay is due to the amount of time the F2B script takes to read the log file, and due to how often it is called. I do not believe it is a realtime event. Say, every minute it's called to read the log and act. I'm not sure of the exact numbers, but you get the idea From: vip killa Sent: Thu 3/31/2011 8:17 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk and fail2ban Back to the original question, for those of you using Fail2Ban, Does it take an unusually high amount of break-in attempts before attackers are banned? I have it set to 5 attempts in fail2ban but usually, the attacker is able to make over 100 attempts before fail2ban bans them. I've tried this using asterisk's /var/log/asterisk/messages and /var/log/messages with same results. Perhaps someone else is experiencing this or has resolved it, thank you. On Thu, Mar 31, 2011 at 4:05 AM, Gordon Henderson mailto:gordon%2baster...@drogon.net wrote: On Wed, 30 Mar 2011, Terry Brummell wrote: Yah, sounds simple, how do you set it up to do this? Fail2Ban was pretty easy, if it's that easy, why was F2B even created? It's easy for me because I read an undestand how things work, and deal with Linux firewalling in a daily basis. Fail2ban is an (almost) drop-in solution which requires minimal thinking - just a few lines in a config file to edit. (and python which I don't have installed on my systems) Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com/ -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
I'm afraid you are incorrect, fail2ban reads the log once every second. On Thu, Mar 31, 2011 at 8:52 AM, Terry Brummell te...@brummell.net wrote: Your delay is due to the amount of time the F2B script takes to read the log file, and due to how often it is called. I do not believe it is a realtime event. Say, every minute it's called to read the log and act. I'm not sure of the exact numbers, but you get the idea -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
Yes, I see in the log that most of these attacks only last 2 seconds before fail2ban bans them On Thu, Mar 31, 2011 at 11:13 AM, Warren Selby wcse...@selbytech.comwrote: On Thu, Mar 31, 2011 at 7:17 AM, vip killa vipki...@gmail.com wrote: Back to the original question, for those of you using Fail2Ban, Does it take an unusually high amount of break-in attempts before attackers are banned? I have it set to 5 attempts in fail2ban but usually, the attacker is able to make over 100 attempts before fail2ban bans them. I've tried this using asterisk's /var/log/asterisk/messages and /var/log/messages with same results. Perhaps someone else is experiencing this or has resolved it, thank you. Check your log files. With the current generation of SIP attack scripts, I've seen hundreds of attacks come in within one second, especially if you've got decent bandwidth. I've seen fail2ban logs that state between 60-250 failed attempts for asterisk. I think it's just the nature of the speed of the attacks. -- Thanks, --Warren Selby, dCAP http://www.selbytech.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
From: vip killa Sent: Thu 3/31/2011 8:17 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk and fail2ban Back to the original question, for those of you using Fail2Ban, Does it take an unusually high amount of break-in attempts before attackers are banned? I have it set to 5 attempts in fail2ban but usually, the attacker is able to make over 100 attempts before fail2ban bans them. I've tried this using asterisk's /var/log/asterisk/messages and /var/log/messages with same results. Perhaps someone else is experiencing this or has resolved it, thank you. I have F2B set to ban after 1 attempt. The most I have seen in the logs is 4-5 attemps before ban is applied. I am calling scripts that apply the ban to a cisco access-list, so there is script/telnet/config delay but it is very minimal and works very well. JR -- JR Richardson Engineering for the Masses -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
-Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of JR Richardson Sent: Thursday, March 31, 2011 10:43 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] asterisk and fail2ban From: vip killa Sent: Thu 3/31/2011 8:17 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk and fail2ban Back to the original question, for those of you using Fail2Ban, Does it take an unusually high amount of break-in attempts before attackers are banned? I have it set to 5 attempts in fail2ban but usually, the attacker is able to make over 100 attempts before fail2ban bans them. I've tried this using asterisk's /var/log/asterisk/messages and /var/log/messages with same results. Perhaps someone else is experiencing this or has resolved it, thank you. I have F2B set to ban after 1 attempt. The most I have seen in the logs is 4-5 attemps before ban is applied. I am calling scripts that apply the ban to a cisco access-list, so there is script/telnet/config delay but it is very minimal and works very well. JR Speaking blindly as someone who has yet to fool with F2B, I'd rather ban somebody after 5-20 attempts than have the overhead needed to ban them quicker. Guess that's a naïve view?? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Thu, Mar 31, 2011 at 10:42:52AM -0500, JR Richardson wrote: I have F2B set to ban after 1 attempt. The most I have seen in the logs is 4-5 attemps before ban is applied. I am calling scripts that apply the ban to a cisco access-list, so there is script/telnet/config delay but it is very minimal and works very well. So I forge one SIP packet and I get you to block the IP address of your SIP trunk (or your IAX trunk)? Cool! -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
You are a bad person! ;-) CF -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Tzafrir Cohen Sent: Thursday, March 31, 2011 10:53 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] asterisk and fail2ban On Thu, Mar 31, 2011 at 10:42:52AM -0500, JR Richardson wrote: I have F2B set to ban after 1 attempt. The most I have seen in the logs is 4-5 attemps before ban is applied. I am calling scripts that apply the ban to a cisco access-list, so there is script/telnet/config delay but it is very minimal and works very well. So I forge one SIP packet and I get you to block the IP address of your SIP trunk (or your IAX trunk)? Cool! -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
I have F2B set to ban after 1 attempt. The most I have seen in the logs is 4-5 attemps before ban is applied. I am calling scripts that apply the ban to a cisco access-list, so there is script/telnet/config delay but it is very minimal and works very well. So I forge one SIP packet and I get you to block the IP address of your SIP trunk (or your IAX trunk)? Cool! -- Tzafrir Cohen Good thing I ignore my own IP blocks JR -- JR Richardson Engineering for the Masses -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
Gordon Henderson wrote: On Wed, 30 Mar 2011, Terry Brummell wrote: Yah, sounds simple, how do you set it up to do this? Fail2Ban was pretty easy, if it's that easy, why was F2B even created? It's easy for me because I read an undestand how things work, and deal with Linux firewalling in a daily basis. Fail2ban is an (almost) drop-in solution which requires minimal thinking - just a few lines in a config file to edit. (and python which I don't have installed on my systems) And in case you missed Gordon's post (quite awhile ago) on this topic this is what I use on CentOS 5 systems based on that: #+# 20100917raa - Testing to prevent Asterisk registration attacks -N AST_WHITELIST -A AST_WHITELIST -s 10.10.3.21 -m recent --remove --name ASTERISK -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 1:2 -m state --state NEW -m recent --set --name ASTERISK -A RH-Firewall-1-INPUT -p udp --dport 1:2 -m state --state NEW -j AST_WHITELIST -A RH-Firewall-1-INPUT -p udp --dport 1:2 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name ASTERISK -j DROP You can have multiple lines whitelisting IPs or ranges and set the --hitcount and --update to what ever works for you. I don't get many attacks. YMMV. Rod -- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Wed, 30 Mar 2011 01:45:20 +0300, Ioan Indreias indre...@gmail.com wrote: Just to provide an alternative to sshguard: you could use BFD[1] Thanks Ioan. I'll give it a shot. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
Just to respond to the IP range approach. My ISP recently changed my external IP and now it appears that I am in New York (when I am actually static in Manchester, England). I've also been in Birmingham, Motherwell and Nottingham [UK] aswell! So, although banning certain ranges may be a good idea for you - it's not a good idea for everyone (we have 'road warriors' that do, indeed, travel to the Far East and Middle East). I suppose the only 'real' way to invoke security (on any system) is to have very strong passwords - maybe 1234 is not the way to go :p -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gilles Sent: 30 March 2011 10:08 To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] asterisk and fail2ban On Wed, 30 Mar 2011 01:45:20 +0300, Ioan Indreias indre...@gmail.com wrote: Just to provide an alternative to sshguard: you could use BFD[1] Thanks Ioan. I'll give it a shot. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users If you have received this communication in error we would appreciate you advising us either by telephone or return of e-mail. The contents of this message, and any attachments, are the property of DataVox, and are intended for the confidential use of the named recipient only. If you are not the intended recipient, employee or agent responsible for delivery of this message to the intended recipient, take note that any dissemination, distribution or copying of this communication and its attachments is strictly prohibited, and may be subject to civil or criminal action for which you may be liable. Every effort has been made to ensure that this e-mail or any attachments are free from viruses. While the company has taken every reasonable precaution to minimise this risk, neither company, nor the sender can accept liability for any damage which you sustain as a result of viruses. It is recommended that you should carry out your own virus checks before opening any attachments. Registered in England. No. 27459085. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
so does anyone use fail2ban w/ asterisk or most people use sshguard? On Wed, Mar 30, 2011 at 6:57 AM, Andrew Thomas a...@datavox.co.uk wrote: Just to respond to the IP range approach. My ISP recently changed my external IP and now it appears that I am in New York (when I am actually static in Manchester, England). I've also been in Birmingham, Motherwell and Nottingham [UK] aswell! So, although banning certain ranges may be a good idea for you - it's not a good idea for everyone (we have 'road warriors' that do, indeed, travel to the Far East and Middle East). I suppose the only 'real' way to invoke security (on any system) is to have very strong passwords - maybe 1234 is not the way to go :p -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gilles Sent: 30 March 2011 10:08 To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] asterisk and fail2ban On Wed, 30 Mar 2011 01:45:20 +0300, Ioan Indreias indre...@gmail.com wrote: Just to provide an alternative to sshguard: you could use BFD[1] Thanks Ioan. I'll give it a shot. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users If you have received this communication in error we would appreciate you advising us either by telephone or return of e-mail. The contents of this message, and any attachments, are the property of DataVox, and are intended for the confidential use of the named recipient only. If you are not the intended recipient, employee or agent responsible for delivery of this message to the intended recipient, take note that any dissemination, distribution or copying of this communication and its attachments is strictly prohibited, and may be subject to civil or criminal action for which you may be liable. Every effort has been made to ensure that this e-mail or any attachments are free from viruses. While the company has taken every reasonable precaution to minimise this risk, neither company, nor the sender can accept liability for any damage which you sustain as a result of viruses. It is recommended that you should carry out your own virus checks before opening any attachments. Registered in England. No. 27459085. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
I think you will find Fail2Ban the defacto standard. From: vip killa Sent: Wed 3/30/2011 8:38 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk and fail2ban so does anyone use fail2ban w/ asterisk or most people use sshguard? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Wed, Mar 30, 2011 at 9:38 AM, vip killa vipki...@gmail.com wrote: so does anyone use fail2ban w/ asterisk or most people use sshguard? Vip, the overall message is that it takes layers of settings/configurations to secure an installation. Simple Guide 1. alwaysauthreject = yes in http://svn.asterisk.org/svn/asterisk/trunk/configs/sip.conf.sample 2. Static firewall rules 2.1 Drop invalid traffic 2.2 Slow ICMP and TCP Reset attacks 2.3 Disable unneeded services 3. Dynamic firewall rules 3.1 Fail2ban (works ok, but you should test it) 3.2 Portscanning Block (http://www.newartisans.com/2007/09/neat-tricks-with-iptables.html) 3.3 Other solutions 3.4 Bad Network Lists (http://www.spamhaus.org/drop/) 4. Auditing. None of the above will work if not audited or reviewed on a regular basis. 5. Reporting. With Monthly reporting you can see trends and make good choices. -- ~~~ Andrew lathama Latham lath...@gmail.com ~~~ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Wed, 30 Mar 2011, Terry Brummell wrote: I think you will find Fail2Ban the defacto standard. I don't use fai2ban. Never have, never will because I simply don't need it. Standard iptables are good enough if you can be bothered to use them to their full abilities. No need for anything else as iptables can do connection tracking and blocking against time - just like fail2ban does. More than X connections a second/minute/hour from a given IP address? Yes, iptables can detect and block that. Works for all protocolls too - SIP, IAX, POP, SSH, etc. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
could you please elaborate on how you have iptables setup to work that way? On Wed, Mar 30, 2011 at 4:11 PM, Gordon Henderson gordon+aster...@drogon.net wrote: On Wed, 30 Mar 2011, Terry Brummell wrote: I think you will find Fail2Ban the defacto standard. I don't use fai2ban. Never have, never will because I simply don't need it. Standard iptables are good enough if you can be bothered to use them to their full abilities. No need for anything else as iptables can do connection tracking and blocking against time - just like fail2ban does. More than X connections a second/minute/hour from a given IP address? Yes, iptables can detect and block that. Works for all protocolls too - SIP, IAX, POP, SSH, etc. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of vip killa Sent: Wednesday, March 30, 2011 4:25 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk and fail2ban could you please elaborate on how you have iptables setup to work that way? On Wed, Mar 30, 2011 at 4:11 PM, Gordon Henderson gordon+aster...@drogon.net mailto:gordon%2baster...@drogon.net wrote: On Wed, 30 Mar 2011, Terry Brummell wrote: I think you will find Fail2Ban the defacto standard. I don't use fai2ban. Never have, never will because I simply don't need it. Standard iptables are good enough if you can be bothered to use them to their full abilities. No need for anything else as iptables can do connection tracking and blocking against time - just like fail2ban does. More than X connections a second/minute/hour from a given IP address? Yes, iptables can detect and block that. Works for all protocolls too - SIP, IAX, POP, SSH, etc. Gordon -- Yah, sounds simple, how do you set it up to do this? Fail2Ban was pretty easy, if it's that easy, why was F2B even created? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
I don't use F2B either, but from what I understand, it is a packaged iptables automation. If you are a unix/linux guru or have a small amount of traffic, I can see where manual iptables maintenance would be fine; F2B would be for the less-informed or more heavily attacked amongst us. _ From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Terry Brummell Sent: Wednesday, March 30, 2011 3:33 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk and fail2ban From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of vip killa Sent: Wednesday, March 30, 2011 4:25 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk and fail2ban could you please elaborate on how you have iptables setup to work that way? On Wed, Mar 30, 2011 at 4:11 PM, Gordon Henderson gordon+aster...@drogon.net mailto:gordon%2baster...@drogon.net wrote: On Wed, 30 Mar 2011, Terry Brummell wrote: I think you will find Fail2Ban the defacto standard. I don't use fai2ban. Never have, never will because I simply don't need it. Standard iptables are good enough if you can be bothered to use them to their full abilities. No need for anything else as iptables can do connection tracking and blocking against time - just like fail2ban does. More than X connections a second/minute/hour from a given IP address? Yes, iptables can detect and block that. Works for all protocolls too - SIP, IAX, POP, SSH, etc. Gordon -- Yah, sounds simple, how do you set it up to do this? Fail2Ban was pretty easy, if it's that easy, why was F2B even created? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Wed, Mar 30, 2011 at 03:36:10PM -0500, Danny Nicholas wrote: I don't use F2B either, but from what I understand, it is a packaged iptables automation. If you are a unix/linux guru or have a small amount of traffic, I can see where manual iptables maintenance would be fine; F2B would be for the less-informed or more heavily attacked amongst us. Fail2ban monitors log files. It looks for certain regular expressions. When those are matched frequiently enough, it runs a certain action. So in this case if it sees lines for a failed SIP registration / invite in /var/log/asterisk/messages from a certain IP address, it will add an iptables rule to block that IP address (in one specific chain). Sure, you can do that manually. Or with your own monitoring script. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On 03/29/2011 07:16 AM, Gilles wrote: On Mon, 28 Mar 2011 08:20:23 -0400, vip killavipki...@gmail.com wrote: Is anyone using asterisk with fail2ban? Sorry for hi-jacking the thread, but I was wondering if there were a lighter alternative that I could run on appliances? Python uses too much RAM, but I need to find a way to ban hackers from trying to connect to Asterisk from the Net. Gilles, One of our developers on the AstLinux team worked out a plugin for Arno's firewall (iptables based) which performs similar to fail2ban, but uses bash. He called it adaptive-ban. You might be able to adapt it for your use, but as it's written, it's integrated with AstLinux. http://astlinux.svn.sourceforge.net/viewvc/astlinux/branches/0.7/package/arnofw/adaptive-ban/ Darrick -- Darrick Hartman DJH Solutions, LLC http://www.djhsolutions.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
Look into the ipt_recent / xt_recent module. It's probably what he is using. On Wed, Mar 30, 2011 at 4:25 PM, vip killa vipki...@gmail.com wrote: could you please elaborate on how you have iptables setup to work that way? On Wed, Mar 30, 2011 at 4:11 PM, Gordon Henderson gordon+aster...@drogon.net wrote: On Wed, 30 Mar 2011, Terry Brummell wrote: I think you will find Fail2Ban the defacto standard. I don't use fai2ban. Never have, never will because I simply don't need it. Standard iptables are good enough if you can be bothered to use them to their full abilities. No need for anything else as iptables can do connection tracking and blocking against time - just like fail2ban does. More than X connections a second/minute/hour from a given IP address? Yes, iptables can detect and block that. Works for all protocolls too - SIP, IAX, POP, SSH, etc. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Wed, 30 Mar 2011 16:54:51 -0500, Darrick Hartman dhart...@djhsolutions.com wrote: One of our developers on the AstLinux team worked out a plugin for Arno's firewall (iptables based) which performs similar to fail2ban, but uses bash. He called it adaptive-ban. You might be able to adapt it for your use, but as it's written, it's integrated with AstLinux. Thanks Darrick. I'll add it to the list of options to check out. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Mon, 28 Mar 2011 08:20:23 -0400, vip killa vipki...@gmail.com wrote: Is anyone using asterisk with fail2ban? Sorry for hi-jacking the thread, but I was wondering if there were a lighter alternative that I could run on appliances? Python uses too much RAM, but I need to find a way to ban hackers from trying to connect to Asterisk from the Net. Thank you. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Mon, 28 Mar 2011 08:20:23 -0400, vip killa vipki...@gmail.com wrote: Is anyone using asterisk with fail2ban? Sorry for hi-jacking the thread, but I was wondering if there were a lighter alternative that I could run on appliances? Python uses too much RAM, but I need to find a way to ban hackers from trying to connect to Asterisk from the Net. I had worked with the sshguard guys to add support for Asterisk; I believe they added basic support. I haven't gotten around to revisiting that issue just yet so I don't know for sure. http://lists.digium.com/pipermail/asterisk-users/2010-December/256928.html sshguard is *extremely* lightweight compared to most things; it's a very efficient compiled C application that doesn't have (m?)any dependencies. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Tue, 29 Mar 2011 07:31:18 -0500 (CDT), Joe Greco jgr...@ns.sol.net wrote: sshguard is *extremely* lightweight compared to most things; it's a very efficient compiled C application that doesn't have (m?)any dependencies. Thanks much for the tip. I'll study how to install/configure iptable and sshguard. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On 3/29/2011 7:16 AM, Gilles wrote: On Mon, 28 Mar 2011 08:20:23 -0400, vip killa vipki...@gmail.com wrote: Is anyone using asterisk with fail2ban? Sorry for hi-jacking the thread, but I was wondering if there were a lighter alternative that I could run on appliances? Python uses too much RAM, but I need to find a way to ban hackers from trying to connect to Asterisk from the Net. Thank you. First thing I'd do is restrict the ip blocks your sip endpoints can register/call from in sip.conf (or your database's table for sip endpoints) -- Sherwood McGowan sherwood.mcgo...@gmail.com Carrier, ITSP, Call Center, and PBX Solutions Consultant -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Tue, 29 Mar 2011 12:10:59 -0500, Sherwood McGowan sherwood.mcgo...@gmail.com wrote: First thing I'd do is restrict the ip blocks your sip endpoints can register/call from in sip.conf (or your database's table for sip endpoints) Thanks for the idea, but it's not possible, as the Asterisk must be accessible for road warriors and receive SIP calls from anyone. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Tue, 29 Mar 2011 12:10:59 -0500, Sherwood McGowan First thing I'd do is restrict the ip blocks your sip endpoints can register/call from in sip.conf (or your database's table for sip endpoints) On Tue, 29 Mar 2011, Gilles wrote: Thanks for the idea, but it's not possible, as the Asterisk must be accessible for road warriors and receive SIP calls from anyone. Really? How many callers are you expecting from North Korea, Libya, China, Iran, etc? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On 3/29/2011 12:25 PM, Steve Edwards wrote: On Tue, 29 Mar 2011 12:10:59 -0500, Sherwood McGowan First thing I'd do is restrict the ip blocks your sip endpoints can register/call from in sip.conf (or your database's table for sip endpoints) On Tue, 29 Mar 2011, Gilles wrote: Thanks for the idea, but it's not possible, as the Asterisk must be accessible for road warriors and receive SIP calls from anyone. Really? How many callers are you expecting from North Korea, Libya, China, Iran, etc? Thanks Steve, you just emailed exactly what I was going to say... Remember guys, there's a LOT of IP blocks out there that are almost definitely not going to be somewhere you expect to receive SIP traffic from. Where are you located? Where do your road warriors usually travel? Start by blocking countries that are not going to be expected to send traffic 98% of the time. When I first started out as a consultant, I helped get a certain U.S. ITSP up and running, and we reduced fraud and hack attempts DRASTICALLY simply by blocking most of the countries that are pretty much known for the prolific numbers of hackers. Sure, we had like, 2 customers call in to say they had traveled abroad (or sent their device to a family/friend abroad) and couldn't get their device to register. But seriously, it was rare. Either way, just a suggestion -- Sherwood McGowan sherwood.mcgo...@gmail.com Carrier, ITSP, Call Center, and PBX Solutions Consultant -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Tue, 29 Mar 2011 12:34:04 -0500, Sherwood McGowan sherwood.mcgo...@gmail.com wrote: Remember guys, there's a LOT of IP blocks out there that are almost definitely not going to be somewhere you expect to receive SIP traffic from. I agree. Is there a list I could use to check which blocks have been allocated to which countries so I can add them to Asterisk's blacklist? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Tue, Mar 29, 2011 at 2:34 PM, Sherwood McGowan sherwood.mcgo...@gmail.com wrote: On 3/29/2011 12:25 PM, Steve Edwards wrote: On Tue, 29 Mar 2011 12:10:59 -0500, Sherwood McGowan First thing I'd do is restrict the ip blocks your sip endpoints can register/call from in sip.conf (or your database's table for sip endpoints) On Tue, 29 Mar 2011, Gilles wrote: Thanks for the idea, but it's not possible, as the Asterisk must be accessible for road warriors and receive SIP calls from anyone. Really? How many callers are you expecting from North Korea, Libya, China, Iran, etc? Thanks Steve, you just emailed exactly what I was going to say... Remember guys, there's a LOT of IP blocks out there that are almost definitely not going to be somewhere you expect to receive SIP traffic from. Where are you located? Where do your road warriors usually travel? Start by blocking countries that are not going to be expected to send traffic 98% of the time. When I first started out as a consultant, I helped get a certain U.S. ITSP up and running, and we reduced fraud and hack attempts DRASTICALLY simply by blocking most of the countries that are pretty much known for the prolific numbers of hackers. Sure, we had like, 2 customers call in to say they had traveled abroad (or sent their device to a family/friend abroad) and couldn't get their device to register. But seriously, it was rare. Either way, just a suggestion -- Sherwood McGowan sherwood.mcgo...@gmail.com Carrier, ITSP, Call Center, and PBX Solutions Consultant First step should be on the AS level. If you do not have access to advertised networks then use http://www.spamhaus.org/drop/ The Spamhaus Don't Route Or Peer List and the script in the FAQ. -- ~~~ Andrew lathama Latham lath...@gmail.com ~~~ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On 3/29/2011 12:42 PM, Gilles wrote: On Tue, 29 Mar 2011 12:34:04 -0500, Sherwood McGowan sherwood.mcgo...@gmail.com wrote: Remember guys, there's a LOT of IP blocks out there that are almost definitely not going to be somewhere you expect to receive SIP traffic from. I agree. Is there a list I could use to check which blocks have been allocated to which countries so I can add them to Asterisk's blacklist? http://www.maxmind.com/app/ip-location -- Sherwood McGowan sherwood.mcgo...@gmail.com Carrier, ITSP, Call Center, and PBX Solutions Consultant -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Tue, 29 Mar 2011 12:34:04 -0500, Sherwood McGowan sherwood.mcgo...@gmail.com wrote: Remember guys, there's a LOT of IP blocks out there that are almost definitely not going to be somewhere you expect to receive SIP traffic from. On Tue, 29 Mar 2011, Gilles wrote: I agree. Is there a list I could use to check which blocks have been allocated to which countries so I can add them to Asterisk's blacklist? I posted this several months ago: http://www.voip-info.org/wiki/view/allocated-class-a-ip-address-blocks -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
Le 29/03/2011 19:34, Sherwood McGowan a écrit : On 3/29/2011 12:25 PM, Steve Edwards wrote: On Tue, 29 Mar 2011 12:10:59 -0500, Sherwood McGowan First thing I'd do is restrict the ip blocks your sip endpoints can register/call from in sip.conf (or your database's table for sip endpoints) On Tue, 29 Mar 2011, Gilles wrote: Thanks for the idea, but it's not possible, as the Asterisk must be accessible for road warriors and receive SIP calls from anyone. Really? How many callers are you expecting from North Korea, Libya, China, Iran, etc? Thanks Steve, you just emailed exactly what I was going to say... Remember guys, there's a LOT of IP blocks out there that are almost definitely not going to be somewhere you expect to receive SIP traffic from. Well, I can tell you that our servers in europe those days are mainly attacked by US IP ranges (remember last year the problem with amazon cloud). They now disappear here in europe but lots of other US networks quickly replace them :-( -- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
Obviously, the other side of the world wants connections to your side, no matter what side you are on. :-) Cary -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Administrator TOOTAI Sent: Tuesday, March 29, 2011 3:21 PM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] asterisk and fail2ban Le 29/03/2011 19:34, Sherwood McGowan a écrit : On 3/29/2011 12:25 PM, Steve Edwards wrote: On Tue, 29 Mar 2011 12:10:59 -0500, Sherwood McGowan First thing I'd do is restrict the ip blocks your sip endpoints can register/call from in sip.conf (or your database's table for sip endpoints) On Tue, 29 Mar 2011, Gilles wrote: Thanks for the idea, but it's not possible, as the Asterisk must be accessible for road warriors and receive SIP calls from anyone. Really? How many callers are you expecting from North Korea, Libya, China, Iran, etc? Thanks Steve, you just emailed exactly what I was going to say... Remember guys, there's a LOT of IP blocks out there that are almost definitely not going to be somewhere you expect to receive SIP traffic from. Well, I can tell you that our servers in europe those days are mainly attacked by US IP ranges (remember last year the problem with amazon cloud). They now disappear here in europe but lots of other US networks quickly replace them :-( -- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Tue, Mar 29, 2011 at 3:57 PM, Cary Fitch ca...@usawide.net wrote: Obviously, the other side of the world wants connections to your side, no matter what side you are on. :-) Cary Exactly -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On 03-29-2011 19:25, Steve Edwards wrote: Really? How many callers are you expecting from North Korea, Libya, China, Iran, etc? after reviewing last week's log i'd say around 25-28k/min :) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Tue, 29 Mar 2011 23:09:06 +0200, ad...@3a.hu wrote: On 03-29-2011 19:25, Steve Edwards wrote: Really? How many callers are you expecting from North Korea, Libya, China, Iran, etc? after reviewing last week's log i'd say around 25-28k/min :) So it looks like I should check out sshguard instead of relying on blocks of IP's :-) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On 03-29-2011 19:25, Steve Edwards wrote: Really? How many callers are you expecting from North Korea, Libya, China, Iran, etc? On Tue, 29 Mar 2011 23:09:06 +0200, ad...@3a.hu wrote: after reviewing last week's log i'd say around 25-28k/min :) On Tue, 29 Mar 2011, Gilles wrote: So it looks like I should check out sshguard instead of relying on blocks of IP's :-) It's not A or B, think A AND B. Security should be in layers -- my pocket GPS is in my locked glove box, in my locked car, in my locked garage, in my gated community. If there is never a need to accept callers from North Korea, how will you explain to your boss that some NK script weenie discovered some weakness in A or B and racked up a bazillion minutes to Libya? What if you misconfigure A or B? What if A or B has a 'window of opportunity' during system restart? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
Hi Gilles, Just to provide an alternative to sshguard: you could use BFD[1] (based on bash scripts) and configure it to use iptables to block the attacker host. The default configuration is to check the logs at each 3 minutes (using a crontab entry). BFD rules for Asterisk could be found here [2] - tested on Asterisk 1.4 Our BAN command looks like: (/sbin/iptables -n -L | grep DROP | grep $ATTACK_HOST) || /sbin/ipttables -I INPUT -s $ATTACK_HOST -j DROP HTH, Ioan [1] http://www.rfxn.com/projects/brute-force-detection/ [2] http://www.modulo.ro/Modulo/downloads/tools/tenora.bfd.tar.gz On Wed, Mar 30, 2011 at 12:51 AM, Gilles codecompl...@free.fr wrote: On Tue, 29 Mar 2011 23:09:06 +0200, ad...@3a.hu wrote: On 03-29-2011 19:25, Steve Edwards wrote: Really? How many callers are you expecting from North Korea, Libya, China, Iran, etc? after reviewing last week's log i'd say around 25-28k/min :) So it looks like I should check out sshguard instead of relying on blocks of IP's :-) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On Mon, Mar 28, 2011 at 9:20 AM, vip killa vipki...@gmail.com wrote: Is anyone using asterisk with fail2ban? I have it working except it takes way more break-in attempts than what is set in maxretry in jail.conf For example, I get an email saying: The IP 199.204.45.19 has just been banned by Fail2Ban after 181 attempts against ASTERISK. when maxretry = 5 in jail.conf Perhaps someone else is experiencing this or has resolved it, thank you in advance for your time. If you fixed the logging issue discussed here http://www.fail2ban.org/wiki/index.php/Asterisk then I would assume your logging has problems. -- ~~~ Andrew lathama Latham lath...@gmail.com ~~~ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
Yes I followed directions on that page Running Asterisk 1.6.1.22, anybody else experiencing this? On Mon, Mar 28, 2011 at 8:32 AM, Andrew Latham lath...@gmail.com wrote: On Mon, Mar 28, 2011 at 9:20 AM, vip killa vipki...@gmail.com wrote: Is anyone using asterisk with fail2ban? I have it working except it takes way more break-in attempts than what is set in maxretry in jail.conf For example, I get an email saying: The IP 199.204.45.19 has just been banned by Fail2Ban after 181 attempts against ASTERISK. when maxretry = 5 in jail.conf Perhaps someone else is experiencing this or has resolved it, thank you in advance for your time. If you fixed the logging issue discussed here http://www.fail2ban.org/wiki/index.php/Asterisk then I would assume your logging has problems. -- ~~~ Andrew lathama Latham lath...@gmail.com ~~~ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
On 28 Mar 2011, at 14:19, vip killa wrote: Yes I followed directions on that page Running Asterisk 1.6.1.22, anybody else experiencing this? How often does fail2ban check the logs? It can only block that often, so if more attempts happen in that time period it can't do anything until it knows. S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk and fail2ban
fail2ban checks the logs every second. Does asterisk buffer log output? On Mon, Mar 28, 2011 at 9:27 AM, Steven Howes steve-li...@geekinter.netwrote: On 28 Mar 2011, at 14:19, vip killa wrote: Yes I followed directions on that page Running Asterisk 1.6.1.22, anybody else experiencing this? How often does fail2ban check the logs? It can only block that often, so if more attempts happen in that time period it can't do anything until it knows. S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users