On Mon, Sep 13, 2010 at 11:22:33AM -0400, Bryant Zimmerman wrote: > Is there a way to drop a ip connection to asterisk after a number of > register attempts. > > I have been having issues with hackers doing registration scanning against > our server. We block their address at the fire wall but since asterisk does > not force a drop of the connect after so many bad reg attempts I can't > enforce the block until they drop and try again. This allows them to run > the box with reg attempts as long as they maintain their initial connection > or I reset the state tables on the firewall. This is very bad. Is there a > way to force the connection to drop and reconnect after let's say 50 > attempts.
Not an exact answer to your question, but if the attacker is using svwar (part of SIPVicious), setting alwaysauthreject=yes in sip.conf will make the probing stop after only TWO tries. svwar first tries registering a few longish, random extensions before it begins a sequential or dictionary scan, to see how you handle unknown extensions. With alwayauthreject set, svwar just gives up, complaining: "ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan." I still see 3-4 attempts per week from various sites, but now they stop after just two failed registration attempts. Saves lots of wear and tear on my DSL. I still run fail2ban, but after setting alwaysauthreject a few months ago nothing has passed its threshold. And nothing seems to have broken, either. -- Barry -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
