Well, the whole thing about 4.6 is that there is a beginning in how security can be centralized. It's a three pronged approach:
1. Firewall (until such time as it becomes a service in a cloud instance), then 2. onboard firewall (iptables) which has some automatic configuration stuff in 4.6, but doesn't do things like some of the more elegant methods like fail2ban and denyhost, then 3. proxy. The proxy in 4.6 has a dos protection mechanism. So in my immediate needs, I looked at 4.4 (an earlier) and was trying to be creative in finding a method that anyone can implement without breaking an older installation and adding a layer of protection. For instance, since "friendly-scanner" is blocked at the firewall the proxy is unencumbered to deal with it but since it's trivial to change the UA string in the sip vicious script, the limiting for the IP address still works and the proxy is only briefly bothered. I also think an ACL using IP zone files is a great idea, though I think it's better to roll that into sipxconfig to make security more robust (block or allow certain zones/countries, etc.), to lessen the footprint an attack can harness. I also think it would be trivial to include FTP rate limiting in my example too. As I said, 4.6 is different and likely headed for http/https provision sometime soon. If you have examples, the wiki would be a good place to add them! On Mon, Oct 1, 2012 at 2:37 PM, [email protected] <[email protected]> wrote: > Interesting, thanks for sharing! I like the approach DenyHosts takes :**** > > ** ** > > http://denyhosts.sourceforge.net/**** > > ** ** > > It can be configured to look at all services rather than just SSH. It does > so by watching /var/log/secure. If sipXecs were to report activity to the > system log facilities, DenyHosts should be able to pick up the attack and > upload the offending host IP to the central server. As an example, it > picked up this ftp brute force attack this week on one of my hosts : **** > > ** ** > > vsftpd:**** > > Unknown Entries:**** > > check pass; user unknown: 749 Time(s)**** > > authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin > rhost=di7s00009.lunarbreeze.com : 225 Time(s)**** > > authentication failure; logname= uid=0 euid=0 tty=ftp > ruser=administrator rhost=di7s00009.lunarbreeze.com : 225 Time(s)**** > > authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test > rhost=di7s00009.lunarbreeze.com : 225 Time(s)**** > > authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test123 > rhost=di7s00009.lunarbreeze.com : 74 Time(s)**** > > ** ** > > In the past I have also used DenyHosts to kick off a ruby script to email > the abuse email addresses from the offending IP's whois. It would record > the portion of the logs containing the attack and give notification to the > network admin the IP has been uploaded to the central server. In other > words you can play offense as well as defense, if you so choose.**** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Tony Graziano > *Sent:* Monday, October 01, 2012 12:29 PM > *To:* Sipx-users list > *Subject:* [sipx-users] New wiki page for the masses :: DOS proptection > using iptables (4.4 and earlier)**** > > ** ** > > Please see:**** > > ** ** > > > http://wiki.sipfoundry.org/display/sipXecs/Basic+DOS+%28onboard+with+iptables%29+protection+in+sipx+4.4+and+later > **** > > ** ** > > Constructive comments and criticism are always welcome. The idea here was > to deny "friendly-scanner" and rate limit "remote hosts" only. > **** > > ** ** > > -- > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: [email protected] > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > ~~~~~~~~~~~~~~~~~~**** > > ** ** > > Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab > 2013! > <http://sipxcolab2013.eventbrite.com/?discount=tony2013>**** > > ** ** > > ** ** > > LAN/Telephony/Security and Control Systems Helpdesk:**** > > Telephone: 434.984.8426**** > > sip: [email protected]**** > > ** ** > > Helpdesk Customers: http://myhelp.myitdepartment.net**** > > Blog: http://blog.myitdepartment.net**** > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013> -- LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
