Good afternoon. Thanks to everyone for answers. What I find strange is the asterisk does not have any native tool for him to SIP server security. Here's an example of the syslog messages from asterisk:
[Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from '"213" <sip:2...@my_extern_ip>' failed for '116 .124.128.82 '- Wrong password [Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from '"213" <sip:2...@my_extern_ip>' failed for '116 .124.128.82 '- Wrong password [Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from '"213" <sip:2...@my_extern_ip>' failed for '116 .124.128.82 '- Wrong password [Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from '"213" <sip:2...@my_extern_ip>' failed for '116 .124.128.82 '- Wrong password [Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from '"213" <sip:2...@my_extern_ip>' failed for '116 .124.128.82 '- Wrong password [Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from '"213" <sip:2...@my_extern_ip>' failed for '116 .124.128.82 '- Wrong password [Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from '"213" <sip:2...@my_extern_ip>' failed for '116 .124.128.82 '- Wrong password [Jun 15 03:05:46] NOTICE [25284] chan_sip.c: Registration from '"213" <sip:2...@my_extern_ip>' failed for '116 .124.128.82 '- Wrong password >From what I told there is around twenty thousand records that at one time. And at least once a week I receive such an attack coming from a different ip. I will read the articles. Thanks again to everyone. Regards, Rodrigo Lang. 2010/6/29 Kenny Watson <[email protected]> > Hi, you can use fail2ban > http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk<http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk> > > Which works well, when a pattern is found in a log file it addes in an > iptables rules to block the traffic for a period. > > On debian you can apt-get install fail2ban and on centos/redhat yum -i > fail2ban > > Thanks > > Kenny > > ----- Original Message ----- > From: "Gareth Blades" <[email protected]> > To: "Asterisk Users Mailing List - Non-Commercial Discussion" < > [email protected]> > Sent: Tuesday, 29 June, 2010 4:12:42 PM > Subject: Re: [asterisk-users] Find a way to block brute force attacks. > > Rodrigo Lang wrote: > > Hello list. > > > > I'm trying to find a way to block any ip that tries to login more than > > three times with the wrong password and try to log in three different > > extensions. For I have suffered some brute force attacks on my asterisk > > in the morning period. > > > > The idea would be: Any ip with three attempts without success to log > > into an extension is blocked. > > > > Is there any way to accomplish this directly by the asterisk? Or is > > there some kind of asterisk spit this information via the AMI? > > > > I was wondering to make a Java program to listen to the AMI and create a > > rule in iptables for ip in specific. > > > > Does anyone have any suggestions? > > > > > > Thanks, > > Rodrigo Lang. > > > Does asterisk log the failed attempts to a file? > If so then you could use sshblack to monitor the file for incorrect > logins. It will add firewalls rules to a custom iptables chain based on > various criteria. You can then point incoming SIP connections through > this chain so offenders will be forewalled for a specific amount of time. > http://www.pettingers.org/code/sshblack.html > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
