[cc'ed Phil Schwartz of DenyHosts and Cyril Jaquier of Fail2Ban] On Mar 16, 2009, at 12:05 PM, JR Richardson wrote:
>> No matter how the system is set up there should be a way to easily >> add >> known-good IP as they relate to a particular installation. >> > The Project Honey Pot looks great. > > I'm not too keen on white listing though. It would be hard to verify > an attacker's IP's that hasn't been identified as bad yet. I'm sure > some hackers would troll the black list and try to add their IP's as > known good. I don't think this would be some automated mechanism for > PBX server subscription, at least not yet. > > I'm thinking more along the lines of a central list, updated by > community participants, to add IP's that have attacked them, with > date/time of the attack. It would be up to the PBX admin to employ a > filter with those black listed IP's or disregard the list all > together. > > Thanks > > JR > -- > JR Richardson > Engineering for the Masses [Phil and Cyril - the quick synopsis here is that Asterisk systems are being hit with some frequency with brute-force SIP password or extension guessing attacks. Asterisk can output logfiles (non- customizable) of failures.] JR and I had been having parts of this conversation off-line, but it's probably worth bringing it up here. I am of the opinion that a "blacklist" is probably useful for some people, as an optional method to automatically configure certain firewall filters or other ACLs which would deny certain IP addresses from reaching the SIP stack. This could be triggered by quantity of requests within a certain time period, or number of failures, or whatever. In fact, there are people who have configured Fail2Ban already to serve locally as a prophylactic for their own machines. JR's point is that there would optimally be some distributed mechanism which would serve to collect the IP addresses as reported by a wide variety of endpoints, such that badly acting IP addresses would be denied even the first step in blocking. The Honey Pot Project seems interesting, but it's not quite the right collection method - they seem to be fairly mail-focused, and their input comes from dormant accounts that they run themselves. Or am I missing how they could be easily used for SIP? It seems that the combination of Fail2Ban and DenyHosts would provide a fairly strong method of both detecting and then centrally storing "bad" IP addresses. I don't know enough about either to say if one duplicates the other as far as functionality, so I'm hoping the authors/members of those packages might chime in here. If I can get some good comments, I'll make this a blog post and maybe we can have a session or two on this at Astricon (hint, hint - JR, you're on the hook!) Lastly, this again doesn't seem to be specific to Asterisk except for inputs of logfile data which would be standardized and reported back up the reporting path to the repository. This is an opportunity for anyone with SIP devices to start contributing to a new database. If we can get some interest and a beta platform in place using Asterisk logfiles and something like iptables, then I'd hope to start bringing in people from other SIP platforms such as Kamailio/SER/OpenSER, FreeSwitch, Cisco, SIPxchange, and others so we could all benefit from this effort. I'm hesitant to create any sort of human-regulated system such as a mailing list or even a wiki as the repository for IP address data of elements, because I think that data will be difficult to collect, difficult to integrate into existing systems, and impossible to update in a way that is fair to people who may be incorrectly added (or who inherit "bad" IP addresses via DHCP or whatever.) Automation seems the only reasonable solution. I could be convinced otherwise, and of course anyone can start such a manual process if they think it would lead to rapid problem resolution. However, I don't think it is a long- term viable method of IP address tagging and I hope that some method might arise with tools that mostly already exist. Resources: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk http://denyhosts.sourceforge.net/index.html JT --- John Todd email:jt...@digium.com Digium, Inc. | Asterisk Open Source Community Director 445 Jan Davis Drive NW - Huntsville AL 35806 - USA direct: +1-256-428-6083 http://www.digium.com/ _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz