I wonder if anyone has applied rate limiting on their Shorewall in front of an Asterisk or other SIP server.
The basic problem is high-rate cracking attempts... people trying to brute-force attack the server with registrations and/or SIP call attempts. While I've read about the RATE LIMIT column in the rules file I think what I am looking for is more real-world experience with the kinds of rate limiting rules that are effective at thwarting those cracking attempts (in conjunction with fail2ban for example) while not locking out legitimate users. What I mean is that probably, I don't want to rate limit based purely on packet counts from a given source IP address but rather "connection attempts". But with SIP being UDP and UDP session tracking being more nebulous and difficult due to the lack of very clear start/end session markers like TCP's SYN and FIN/RST flags. I suspect that a single logon/refused pair of packets from the attacker to my SIP server and back will "establish" a session for that IP address such that the barrage of subsequent login/refused packets will all be counted in the one session rather than creating new sessions and tripping session/connection based rate limiting. So, any thoughts or specific configurations anyone wants to share? Cheers, b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
