Re: [asterisk-users] Iptables configuration to handle brute force registrations?
On Wed, 6 Apr 2011 09:46:12 +0100 (BST), Gordon Henderson gordon+aster...@drogon.net wrote: Have a look at these: Thanks much Gordon. I'll study the scripts you mentionned. It looks like iptables is good enough and I won't have to install a second tool to watch the logs and reconfigure iptables on the fly. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute, force registrations?
On Tue, 5 Apr 2011 17:38:15 -0400, Paul Dugas p...@dugasenterprises.com wrote: First, this appears to be working for me though I'm not 100% sure of that and cannot guarantee it will for you in any way, shape or form. With the lawyering out of the way... Thanks a lot, Paul. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute, force registrations?
On 4/5/2011 4:38 PM, Paul Dugas wrote: First, this appears to be working for me though I'm not 100% sure of that and cannot guarantee it will for you in any way, shape or form. With the lawyering out of the way... I've seen fail2ban allow more than 500 failed SIP login attempts in under 30 seconds before adding an iptables rule to block the attacker. Likely I have it configured wrong but lately, I've been tinkering with iptables rules using the recent module as another layer of defense. Relevant lines from /etc/sysconfig/iptables on my CENTOS/Asterisk machine below... -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --set --name SIP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 600 --hitcount 20 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 300 --hitcount 10 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 180 --hitcount 5 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 60 --hitcount 3 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -j ACCEPT This blocks the attacker when too many new SIP connections happen in too short a period of time. I think fail2ban will now never sees enough failed logins to fire off a response. $0.02 That was completely worth the $0.02, here's a nickel keep the change! ;-) Cheers mate, thanks for sharing with the community :) -- Sherwood McGowan sherwood.mcgo...@gmail.com Carrier, ITSP, Call Center, and PBX Solutions Consultant -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute force registrations?
On Tue, 5 Apr 2011, Steve Edwards wrote: On Tue, 5 Apr 2011, Gilles wrote: I'm no expert of iptables, and it seems like it can handle banning IP's that are trying to register and fail too many times. Is there a good iptables configuration that I could use as reference? Gordon Henderson posted a link to his script that handled failures above a threshold and some other cool stuff a few months back. Try searching the archives. Have a look at these: http://unicorn.drogon.net/firewall That's a very basic iptables firewall script. You can not run this as-is, you will need to chang it. This: http://unicorn.drogon.net/firewall2 is a bit more complicated. It includes some more stateful rules to check and automatically slow-down bulk connections. It's not perfect, but it could be used as a starting point for your own thing. A word of warning though - it's not suitable for light-weight/embedded devices. These rules can result in significant kernel processing. You may also wish to look at this: http://blog.elphel.com/2011/03/hardening-the-asterisk-based-phone-system It's a blog post by Andrey Filippov based on some of my work and some of his own. It's all good stuff. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute force registrations?
fail2ban(opensource) is a good choice for you best On Wed, Apr 6, 2011 at 1:16 PM, Gordon Henderson gordon+aster...@drogon.net wrote: On Tue, 5 Apr 2011, Steve Edwards wrote: On Tue, 5 Apr 2011, Gilles wrote: I'm no expert of iptables, and it seems like it can handle banning IP's that are trying to register and fail too many times. Is there a good iptables configuration that I could use as reference? Gordon Henderson posted a link to his script that handled failures above a threshold and some other cool stuff a few months back. Try searching the archives. Have a look at these: http://unicorn.drogon.net/firewall That's a very basic iptables firewall script. You can not run this as-is, you will need to chang it. This: http://unicorn.drogon.net/firewall2 is a bit more complicated. It includes some more stateful rules to check and automatically slow-down bulk connections. It's not perfect, but it could be used as a starting point for your own thing. A word of warning though - it's not suitable for light-weight/embedded devices. These rules can result in significant kernel processing. You may also wish to look at this: http://blog.elphel.com/2011/03/hardening-the-asterisk-based-phone-system It's a blog post by Andrey Filippov based on some of my work and some of his own. It's all good stuff. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Iptables configuration to handle brute force registrations?
Hello I'm no expert of iptables, and it seems like it can handle banning IP's that are trying to register and fail too many times. I'd like to use this feature instead of having to install a second tool such as SSHGuard or BFS that parses the logs and reconfigure iptables on the fly. Is there a good iptables configuration that I could use as reference? FWIW, the kernel is uClinux 2.6.13.9, iptables is 1.3.6, ans it's a single-homed host so there's no need to handle the FORWARD chain. Thank you. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute force registrations?
On Tue, 5 Apr 2011, Gilles wrote: I'm no expert of iptables, and it seems like it can handle banning IP's that are trying to register and fail too many times. Is there a good iptables configuration that I could use as reference? Gordon Henderson posted a link to his script that handled failures above a threshold and some other cool stuff a few months back. Try searching the archives. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute, force registrations?
fail2ban might be good for this. On 04/05/2011 01:00 PM, asterisk-users-requ...@lists.digium.com wrote: Date: Tue, 5 Apr 2011 08:44:41 -0700 (PDT) From: Steve Edwardsasterisk@sedwards.com Subject: Re: [asterisk-users] Iptables configuration to handle brute force registrations? On Tue, 5 Apr 2011, Gilles wrote: I'm no expert of iptables, and it seems like it can handle banning IP's that are trying to register and fail too many times. Is there a good iptables configuration that I could use as reference? Gordon Henderson posted a link to his script that handled failures above a threshold and some other cool stuff a few months back. smime.p7s Description: S/MIME Cryptographic Signature -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute, force registrations?
On Tue, Apr 5, 2011 at 1:31 PM, Bill Michaelson b...@cosi.com wrote: fail2ban might be good for this. I think you missed the point, which is reducing the need for an external application that searches logs in order to determine whether or not to block an IP. Why run fail2ban and add overhead when you can just do the same thing with iptables itself? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute, force registrations?
On Tue, 5 Apr 2011, Sherwood McGowan wrote: Why run fail2ban and add overhead when you can just do the same thing with iptables itself? Because it's not the same? The iptables approach is great because it is 'light-weight' and it should already 'be there.' Also, it can react quicker because it doesn't have to read log files to make a decision. The 'downside' of the iptables approach is that the blocks go away when iptables is reloaded -- like when the host is restarted. Probably not an issue with Gordon since his hosts stay up for years. I'm thinking the iptables approach supplemented with a script to periodically save the block list to disk would allow persistent blocks as well as letting you accumulating blocks between all your hosts. Which would still be much 'lighter' than fail2ban. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute, force registrations?
On 4/5/2011 2:11 PM, Steve Edwards wrote: On Tue, 5 Apr 2011, Sherwood McGowan wrote: Why run fail2ban and add overhead when you can just do the same thing with iptables itself? Because it's not the same? The iptables approach is great because it is 'light-weight' and it should already 'be there.' Also, it can react quicker because it doesn't have to read log files to make a decision. The 'downside' of the iptables approach is that the blocks go away when iptables is reloaded -- like when the host is restarted. Probably not an issue with Gordon since his hosts stay up for years. I'm thinking the iptables approach supplemented with a script to periodically save the block list to disk would allow persistent blocks as well as letting you accumulating blocks between all your hosts. Which would still be much 'lighter' than fail2ban. Agreed on all points Steve. I've already implemented an auto save function, to workaround the drawback you mentioned. Are there possibly other drawbacks that I'm not seeing/remembering? I've been running an iptables based setup for some time, never really jumped into the fail2ban wagon -- Sherwood McGowan sherwood.mcgo...@gmail.com Carrier, ITSP, Call Center, and PBX Solutions Consultant -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute, force registrations?
On Tue, 5 Apr 2011, Sherwood McGowan wrote: Why run fail2ban and add overhead when you can just do the same thing with iptables itself? On 4/5/2011 2:11 PM, Steve Edwards wrote: Because it's not the same? The iptables approach is great because it is 'light-weight' and it should already 'be there.' Also, it can react quicker because it doesn't have to read log files to make a decision. The 'downside' of the iptables approach is that the blocks go away when iptables is reloaded -- like when the host is restarted. Probably not an issue with Gordon since his hosts stay up for years. I'm thinking the iptables approach supplemented with a script to periodically save the block list to disk would allow persistent blocks as well as letting you accumulating blocks between all your hosts. Which would still be much 'lighter' than fail2ban. On Tue, 5 Apr 2011, Sherwood McGowan wrote: Agreed on all points Steve. I've already implemented an auto save function, to workaround the drawback you mentioned. Then you're already a couple of steps down the path further than me :) Are there possibly other drawbacks that I'm not seeing/remembering? I've been running an iptables based setup for some time, never really jumped into the fail2ban wagon I've never used fail2ban either. I don't think it's advantages are functional, but the more somewhat intangible: ) It's included with several of the all-in-one Asterisk distributions. ) It's documented. ) It's more flexible ) Somebody else gets to enhance and maintain the code. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute, force registrations?
On Tue, Apr 5, 2011 at 2:40 PM, Steve Edwards asterisk@sedwards.comwrote: snip Are there possibly other drawbacks that I'm not seeing/remembering? I've been running an iptables based setup for some time, never really jumped into the fail2ban wagon I've never used fail2ban either. I don't think it's advantages are functional, but the more somewhat intangible: ) It's included with several of the all-in-one Asterisk distributions. ) It's documented. ) It's more flexible ) Somebody else gets to enhance and maintain the code. Fail2ban is easy. It's well documented and can be setup in just a few minutes. It's got an easy way to setup a whitelist that doesn't get banned (so you don't ban yourself or any of your trunks, etc), and you can use it for more than just asterisk blocking (I use it to monitor ssh and ftp as well). You can easily copy config files between systems, etc, plus all the things you mentioned Steve. That being said, it has several downsides too, i.e - whenever fail2ban is restarted, the fail2ban chains are flushed (this is occurs on system restarts as well). If you need to make changes to your iptables setup (i.e change an IP address of a service provider), you really want to unload fail2ban, make your changes directly to iptables, then save your new iptables setup, then restart fail2ban. Otherwise you'll end up saving your fail2ban chains in with your regular chains, and when you restart fail2ban, it'll try to add new f2b chains. And for some reason people seem to think that it requiring Python is a bad thing. But then again, I'm not running it on small systems - most of the systems I've put it on have plenty of excess cpu and memory, so that hasn't been an issue for me. -- Thanks, --Warren Selby, dCAP http://www.selbytech.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute, force registrations?
First, this appears to be working for me though I'm not 100% sure of that and cannot guarantee it will for you in any way, shape or form. With the lawyering out of the way... I've seen fail2ban allow more than 500 failed SIP login attempts in under 30 seconds before adding an iptables rule to block the attacker. Likely I have it configured wrong but lately, I've been tinkering with iptables rules using the recent module as another layer of defense. Relevant lines from /etc/sysconfig/iptables on my CENTOS/Asterisk machine below... -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --set --name SIP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 600 --hitcount 20 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 300 --hitcount 10 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 180 --hitcount 5 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds 60 --hitcount 3 --rttl -j DROP -A RH-Firewall-1-INPUT -p udp --dport 5060 -j ACCEPT This blocks the attacker when too many new SIP connections happen in too short a period of time. I think fail2ban will now never sees enough failed logins to fire off a response. $0.02 On Tue, Apr 5, 2011 at 2:31 PM, Bill Michaelson b...@cosi.com wrote: fail2ban might be good for this. On 04/05/2011 01:00 PM, asterisk-users-requ...@lists.digium.com wrote: Date: Tue, 5 Apr 2011 08:44:41 -0700 (PDT) From: Steve Edwards asterisk@sedwards.com Subject: Re: [asterisk-users] Iptables configuration to handle brute force registrations? On Tue, 5 Apr 2011, Gilles wrote: I'm no expert of iptables, and it seems like it can handle banning IP's that are trying to register and fail too many times. Is there a good iptables configuration that I could use as reference? Gordon Henderson posted a link to his script that handled failures above a threshold and some other cool stuff a few months back. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Iptables configuration to handle brute, force registrations?
-Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users- boun...@lists.digium.com] On Behalf Of Paul Dugas Sent: Tuesday, April 05, 2011 4:38 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Iptables configuration to handle brute,force registrations? First, this appears to be working for me though I'm not 100% sure of that and cannot guarantee it will for you in any way, shape or form. With the lawyering out of the way... I've seen fail2ban allow more than 500 failed SIP login attempts in under 30 seconds before adding an iptables rule to block the attacker. Likely I have it configured wrong but lately, I've been tinkering with iptables rules using the recent module as another layer of defense. Relevant lines from /etc/sysconfig/iptables on my CENTOS/Asterisk machine below... snip [Danny Nicholas] I'm no expert, but as I see it, for fail2ban to work properly in a heavy attack environment, you MUST have your logs in realtime databases and preferably also roll them frequently. In normal Asterisk (as I use it), logs are written at the end of a call (not good for attack scenario unless attacks are quick and out) and in a heavy call environment, an attacker could make quite a bit of headway before the log could be processed. If you are realtime and rolling the logs hourly or so, fail2ban should work pretty well, but no guarantees. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
