Interesting, thanks for sharing! I like the approach DenyHosts takes :
http://denyhosts.sourceforge.net/
It can be configured to look at all services rather than just SSH. It does so
by watching /var/log/secure. If sipXecs were to report activity to the system
log facilities, DenyHosts should be able to pick up the attack and upload the
offending host IP to the central server. As an example, it picked up this ftp
brute force attack this week on one of my hosts :
vsftpd:
Unknown Entries:
check pass; user unknown: 749 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin
rhost=di7s00009.lunarbreeze.com : 225 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp
ruser=administrator rhost=di7s00009.lunarbreeze.com : 225 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test
rhost=di7s00009.lunarbreeze.com : 225 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test123
rhost=di7s00009.lunarbreeze.com : 74 Time(s)
In the past I have also used DenyHosts to kick off a ruby script to email the
abuse email addresses from the offending IP's whois. It would record the
portion of the logs containing the attack and give notification to the network
admin the IP has been uploaded to the central server. In other words you can
play offense as well as defense, if you so choose.
From: [email protected]
[mailto:[email protected]] On Behalf Of Tony Graziano
Sent: Monday, October 01, 2012 12:29 PM
To: Sipx-users list
Subject: [sipx-users] New wiki page for the masses :: DOS proptection using
iptables (4.4 and earlier)
Please see:
http://wiki.sipfoundry.org/display/sipXecs/Basic+DOS+%28onboard+with+iptables%29+protection+in+sipx+4.4+and+later
Constructive comments and criticism are always welcome. The idea here was to
deny "friendly-scanner" and rate limit "remote hosts" only.
--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip:
[email protected]<mailto:[email protected]>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~
Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
[http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: [email protected]<mailto:[email protected]>
Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users/
