fail2ban is so easy to set up, there is no reason not to set it up.
The geography problems are not so bad unless you have phones all over
the world or people travelling with softphones to countries that you
want to block.
It does not block incoming calls only people who want to mimic your own
legitimate phones.
Ron
On 19/01/2014 9:40 AM, Steve Murphy wrote:
On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards
<asterisk....@sedwards.com <mailto:asterisk....@sedwards.com>> wrote:
On Sat, 18 Jan 2014, Jerry Geis wrote:
I see MANY of these in my log files:
[Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from
'"202" <sip:202@X:5060>' failed for '37.8.12.147:26832
<http://37.8.12.147:26832>' - Wrong password
What is the "correct" way to block these idiots so they
don't even get this far.
Use iptables to allow packets from your legitimate users, block
everybody else.
If you are dealing with a mobile user base or an extensive
geographic area, at least block the countries where you do not
expect traffic -- North Korea, China, xxxistan, etc.
Drop these at the front door (90% of the problem) and use fail2ban
to pick off the rest.
I see a problem here; firstly that it is no longer so simple to determine
the IP ranges of countries. Things have been fractured quite a bit; you
might have to hire out a service to determine true geographic origination.
Even then, if your service is a little behind, you might occasionally
feel the displeasure of users unable to talk to your servers. How will you
handle this, with a white-list? How much effort will you end up committing
to keeping your whitelist up to date?
Nextly, the well-financed operations running such probes need not use
machines in their native countries. There are plenty of US-based
machines that can be ( and are ) compromised.
In other words, don't forget the fail2ban part!
Here's another idea! How about changing your port from 5060 to something
different, maybe 7067 or some other number that is not popularly being
used?
You'll provision your phones to use this port, and the scanners will not
find you. Seems a much simpler solution... but there are some drawbacks...
can anyone think of them? And will these drawbacks matter to you? And,
given
this solution, will the odds that a scanner might find your machine be
so low,
that it is not worth using something like fail2ban to override them? Food
for thought!
murf
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
? murf at parsetree dot com
? 307-899-5535
--
Ron Wheeler
President
Artifact Software Inc
email: rwhee...@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
