Marcus Meissner wrote:
On Thu, Apr 04, 2013 at 11:18:09AM +0200, Togan Muftuoglu wrote:
On 04/04/2013 10:47 AM, Per Jessen wrote:
Our asterisk server is seeing numerous brute force attempts to get access to a SIP account. I've tried setting up a 'prevent flood' config with iptables, but wihtout much success. fail2ban et al does not work, so I was hoping someone might have a hint wrt an iptables setup to stop such brute force attacks?
Well not the answer you are looking for, but don't find yourself alone in this game, as my server is also under brute force attack, and no till now I have not been able to find any solution also, I have tried all the approaches you have tried but no success. I can't find a way to block as most of these attacks are logged as below where XXX is my servers own address, hence fail2ban unfortunately fails , or I can't find a better way to get the attackers' ip address.
100000<sip:100000@XXX.XXX.XXX.XX>;tag=eb6db4c6
So if you find a solution please share, as this issue is nerving me for a long time now
Is this always the same TCP/UDP port?
Yes, always UDP port 5060.
Then add a filter like the ssh "recent" filtering?
remove it from the generic FW_SERVICES_EXT_TCP line, and add to the FW_SERVICES_ACCEPT_EXT line: something like the ssh example: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
I've tried that, but had to disable it. I can't remember why, but it somehow interfered with legitimate SIP traffic. -- Per Jessen, Zürich (7.3°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org