On 11:04, Fri 09 Jan 09, Matthew Nicholson wrote: > On Fri, 2009-01-09 at 16:49 +0000, Steve Howes wrote: > > On 9 Jan 2009, at 16:36, Klaus Darilion wrote: > > > Hi! > > > > > > I want to detect brute-force password hacking attacks - thus if there > > > are too many failed login attempts for a SIP account I want to "lock" > > > this account. > > > > > > Does somebody have any ideas how this could be implemented? > > > > Bad plan? Could quite easily turn into a DoS. > > Could this be done at the IP tables level? Or maybe you could write a > script that monitors the asterisk logs and detects failed login attempts > then adds problematic IP address to hosts.deny. I know of several ssh > blocking scripts that work this way.
I think fail2ban can do this. It has a configuration file where you can list your logs and regexp matches in this logfile. I use fail2ban on linux to detect those types of attacks on my ftp, imap, pop3, smtp+sasl, ssh etc etc It can take action by blocking the ip for a specified period. The block can be configured. iptables, hosts.deny, pf, ipfw, custom-script-to-send-block-rule-to-cisco-pix,whatever. http://www.fail2ban.org/wiki/index.php/Main_Page > > -- > Matthew Nicholson > Digium, Inc. | Software Developer > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?" _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users