Steve Totaro wrote:
Depends... I myself have an extremely modified IPS like script I chopped up for myself. If I posted it, it would look like a horrendous shell+ruby+perl +awk+sed nightmare with no comments that most programmers would likely roll their eyes at in disgust.-----Original Message----- From: [EMAIL PROTECTED] [mailto:asterisk-users- [EMAIL PROTECTED] On Behalf Of J. Oquendo Sent: Thursday, April 26, 2007 6:47 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Asterisk brute force watcher (was FYI)Steve Totaro wrote:I suspect that this will happen more and more. I also suspect thatmanypeople who have weak SIP credentials like user=100 secret=100 willbethe victim of toll fraud and worse, call to 900 and other very high termination rates. How does $25 per minute sound? Thanks, Steve Totaro http://www.asteriskhelpdesk.com KB3OPBAshtray is an Asterisk brute force watcher. Checks logs from cron and emails admin of potential brute forcers http://www.infiltrated.net/scripts/ashtray Can have it set in .bash_profile so whenever you log on, you'd see anomalies. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- PlatoWithout looking, can it be configured to blacklist that IP for a given amount of time? My FTP server has that ability. Thanks, Steve Totaro http://www.asteriskhelpdesk.com KB3OPB _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Depending on how you run your Asterisk machine (DB or no DB) it should be doable with iptables (--flush), ipf, ipfw, etc. I have one of my servers set to do a few things with my script... 1) If a user attempts to register and fails more than 5 times ... Email me the username and IP address. It doesn't get blocked yet. This way no legitimate remote user complains... 2) If a user attempts to register and fails, check the IP address and see if they're trying to register using multiple names, if they are, then automatically block them via iptables...
I started to tinker with an entire IDS/IPS devoted to Asterisk (www.infiltrated.net/scripts/divinityPoC) but haven't had time to finish it. Besides, (and I'm sorry to say this)... Asterisk's logging mechanisms/errors infuriate me. Sometimes their errors make no sense - wth is a doohicky error you guys? So I left it alone. I've butchered it for managed PBX's with under 50 users, but for thousands of users, its no good.
Right now one of my machines has: 341 sip peers [308 online , 33 offline] / 45 active channels : 24 active calls ... I don't even count how many trunks and attached * machines I have on that server. And this is only one of about maybe 15-20 I deal with on a daily basis...
What I had envisioned for divinity was based off of my Asteroid program (www.infiltrated.net/asteroid/)... Catch any anomalous SIP messages and nip it in the bud. The heuristics behind it though would be a full time job in itself so I left it alone. I may or may not continue it, but right now I have little incentive to. 1) Too much studying going on for me... 2) Work keeps me tied up... 3) Family life... Besides I've configured my machines to where I'm comfortable with them which was my main goal. Last thing I want to do is release something half done to hear the criticism "You're program is half baked!" blah blah...
-- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743echo infiltrated.net|sed 's/^/sil@/g'
"Wise men talk because they have something to say; fools, because they have to say something." -- Plato
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
