Thanks for that Steve. This works. However, what if I do this (would I block myself from SSH 22):
-------------------------------------------------------------- sudo iptables\ --append INPUT\ --match tcp\ --protocol tcp\ --dport 22\ --source 0.0.0.0\ --jump ACCEPT -------------------------------------------------------------- sudo iptables\ --append INPUT\ --source 0.0.0.0/24\ <http://87.230.90.0/24\> --jump DROP -------------------------------------------------------------- Will that block all other traffic to the server and only allow SSH 22? I don't want to block myself out and it's very important because this is a remote server. If you can confirm above then I can add the legit IPs one by one after that I guess. Thanks again On Thu, Jun 24, 2010 at 1:52 PM, Steve Edwards <asterisk....@sedwards.com>wrote: > Un-top-posting... > > > On 2010-06-24 1:03 PM, "bruce bruce" <bruceb...@gmail.com> wrote: > > > > What would be the other workaround other than fail2ban? what commands > > should be run for IPTABLES to ban this IP from trying to register to > > SIP? > > On Thu, 24 Jun 2010, Zeeshan Zakaria wrote: > > > iptables -A INPUT -p TCP -s 87.230.90.5 --dport 5060 REJECT > > (I think you need a "-j" before the target.) > > If the connection is tcp. "s/TCP/UDP/" for udp. I'm a 1.2 Luddite, so TCP > is not an issue for me. > > There are two problems with this approach. Using REJECT tells the attacker > that he is being rejected. Very often, he will have access to a range of > addresses (maybe a sub-set, maybe an entire class C) so he just tries > again with another address. See http://en.wikipedia.org/wiki/Whack_a_mole > > If you change the target to DROP, your host discards the packet and no > information is sent back to the attacker. > > sudo iptables\ > --append INPUT\ > --match udp\ > --protocol udp\ > --dport 5060\ > --source 87.230.90.5\ > --jump DROP > > Just because you are blocking SIP does not mean he will not try SSH, FTP, > HTTP, Telnet... > > Using the very blunt sword of blocking the entire class [A|B|C] for all > ports and protocols solves the problem for most attackers but can block > legitimate users as well. > > sudo iptables\ > --append INPUT\ > --source 87.230.90.0/24\ > --jump DROP > > From my experience, a lot of attacks originate from countries I have no > interest in receiving calls from, so I just block a lot (too many?) of > class A addresses. Unfortunately, my web server and email server are on > the same host, so I need to refine this approach a bit :) > > A better approach would be to specifically allow the IP addresses of the > callers you expect, and drop everybody else. > > If you have multiple IP addresses (for example, a public and a private) on > your Asterisk box, binding SIP, IAX, and the manager interface to the > local address will also reduce your attack profile. > > -- > Thanks in advance, > ------------------------------------------------------------------------- > Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST > Newline Fax: +1-760-731-3000 > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-biz mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-biz >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz