On Wed, 2016-03-23 at 12:57 +0800, James Andrewartha wrote: > On 23/03/16 01:49, Brian J. Murrell wrote: > > I wonder if anyone has applied rate limiting on their Shorewall in > > front of an Asterisk or other SIP server. > > I would suggest looking at http://www.fail2ban.org/wiki/index.php/Ast > erisk
Yes, thanks. But as I said in my original message "in conjunction with fail2ban" implying that I am already employing fail2ban. The problem is that the rate that these cracking attempts comes in is overwhelming for fail2ban at times and thousands of attempts can come through before fail2ban has had time to process them and put the blocks in place. Tangentially I also find that the blocking that fail2ban puts in place to be ineffective at times. I'm not sure if I'm seeing the blocking fail or if I am just seeing the latency of all the processing but I continue to see fail2ban logging the attempts after the block has been added. FWIW, I am blocking by adding the address to an ipset with: ipset -A "$set" "$IP" and blocking $set with Chain blacklst (2 references) pkts bytes target prot opt in out source destination 977 107K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctdir REPLY ... 159 8340 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fail2ban src I do notice that blacklst processing is happening in net_frwd before packets get pushed on to net2loc where the: 995 111K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED is happening, so it should all be working. So maybe it really is just the latency of processing with such a burst of cracking attempts in a short period of time that I am seeing, which is exactly why I want to rate limit what is even making it in, using iptables via shorewall. I just want to be careful not to rate-limit legitimate traffic which is why I was wondering if anyone had real-world experience they wanted to share rather than me figuring it out, eventually, by trial and error. Standing on the shoulders of giants as the saying goes, or not re- inventing the wheel as another saying goes. Cheers, b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
