Re: [asterisk-users] RES: Auto ban IP addresses
I am using fail2ban on all my asterisk server, but beware, fail2ban can be a dangerous software. The problem rely on the fact that SIP uses UDP, so it is possible to send messages with a forged source IP address. This way the bad guy out there can ban all your IP addresses. I say it is possible without having investigated in deep details what is really needed to do. Leandro 2013/1/3 Éder e...@openminds.com.br Howto fail2ban in asterisk http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk -Mensagem original- De: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] Em nome de Frank Enviada em: quarta-feira, 2 de janeiro de 2013 20:50 Para: Asterisk Users Mailing List - Non-Commercial Discussion Assunto: [asterisk-users] Auto ban IP addresses Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100sip:100@108.161.145.18;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? Thank you -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] RES: Auto ban IP addresses
On Thu, 2013-01-03 at 09:42 +0100, Leandro Dardini wrote: I am using fail2ban on all my asterisk server, but beware, fail2ban can be a dangerous software. The problem rely on the fact that SIP uses UDP, so it is possible to send messages with a forged source IP address. This way the bad guy out there can ban all your IP addresses. I say it is possible without having investigated in deep details what is really needed to do. The jail.conf in fail2ban allows for a whitelist of IPs that will never be banned -- Ishfaq Malik i...@pack-net.co.uk Department: VOIP Support Company: Packnet Limited t: +44 (0)845 004 4994 f: +44 (0)161 660 9825 e: i...@pack-net.co.uk w: http://www.pack-net.co.uk Registered Address: PACKNET LIMITED, 2A ENTERPRISE HOUSE, LLOYD STREET NORTH, MANCHESTER SCIENCE PARK, MANCHESTER, M156SE COMPANY REG NO. 04920552 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] RES: Auto ban IP addresses
Interesting... -Mensagem original- De: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] Em nome de Geoff Lane Enviada em: quinta-feira, 3 de janeiro de 2013 10:06 Para: Asterisk Users Mailing List - Non-Commercial Discussion Assunto: Re: [asterisk-users] Auto ban IP addresses On Wednesday, January 2, 2013, Frank wrote: Is there a way to automatically ban IP address from attackers within asterisk ? As others have mentioned, fail2ban does a good job. However, it may not be enough as these attacks sometimes come from older versions of the SipVicious hacking tool that keep trying even after they cease getting a response -- i.e. the attack continues even after fail2ban has jailed the host, which eats into your bandwidth and can cause denial of service in extreme cases. FWIW, I suffered one such attack last year after my router died and the temporary replacement couldn't selectively block or forward UDP 5060 based on WAN IP address. The attack continued for over eight days and consumed over a gigabyte a day of my bandwidth for the first three of those days -- until I'd replaced the temporary router and taken proactive measures. An initial LART to the attacking host's owner and their provider achieved little. I ended up installing SipVicious to a virtual machine to which I router all SIP requests from the attacker. On the VM I set up svcrash to automatically crash the attacking script each time it received a SIP request. This cut the attack down to one request every couple of seconds. In the end, I suggested to the owner of the attacking host that it might be a good idea for them to remove Python unless it was actually needed and in any case to remove from that machine all instances of svwar.py and svcrack.py together with the remainder of the SipVicious suite. The attack stopped shortly after. I suspect that any system that responds to all SIP requests is likely to attract such attacks. My solution is to silently drop SIP traffic from all but my SIP providers, which means that attackers perceive that my Asterisk box doesn't exist. This is not ideal as it also prevents legitimate direct SIP calls and reinvites, but IMO better that than having bandwidth I pay for by the gigabyte consumed by brute force attacks. -- Geoff -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] RES: Auto ban IP addresses
Hi, Fail2ban http://en.gentoo-wiki.com/wiki/HOWTO_fail2ban -Mensagem original- De: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] Em nome de Frank Enviada em: quarta-feira, 2 de janeiro de 2013 20:50 Para: Asterisk Users Mailing List - Non-Commercial Discussion Assunto: [asterisk-users] Auto ban IP addresses Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100sip:100@108.161.145.18;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? Thank you -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] RES: Auto ban IP addresses
Howto fail2ban in asterisk http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk -Mensagem original- De: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] Em nome de Frank Enviada em: quarta-feira, 2 de janeiro de 2013 20:50 Para: Asterisk Users Mailing List - Non-Commercial Discussion Assunto: [asterisk-users] Auto ban IP addresses Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100sip:100@108.161.145.18;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? Thank you -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
