Re: [opensuse] firewall/iptables suggestion for preventing brute-force SIP attempts?

4 Apr 2013


      Togan Muftuoglu wrote:
...
On 04/04/2013 03:49 PM, Per Jessen wrote:
...
Here is what used to have:
## SIP flood protection
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent
--name sipattack --set $IPTABLES -A INPUT -i $EXTERNALIF -p udp
--dport 5060 -m recent --name sipattack --update --seconds 60
--hitcount 6 -j LOG --log-prefix 'SIP attack: ' $IPTABLES -A INPUT -i
$EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --update
--seconds 60 --hitcount 6 -j DROP
I don't currently have any external SIP users, but I'm pretty
certain the above also gave legitimate users a problem.  I'm
wondering if it is because the firewall needs to look into the SIP
packet to be able to determine what it is.
In addition I have FW_EXT_UDP=10000:20000 since my rtf.conf is
rtpstart=10000
rtpend=20000
Yes, I also have those open

# SIP traffic
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -j ACCEPT
# these are STUN ports
$IPTABLES -A INPUT -p udp --dport 3478:3479 -i $EXTERNALIF -j ACCEPT
# IAX2 traffic
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 4569 -j ACCEPT
#
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 10000:20000 -j ACCEPT


/Per

-- 
Per Jessen, Zürich (9.2°C)
http://www.dns24.ch/ - free DNS hosting, made in Switzerland.

-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse+owner@opensuse.org