On 19/1/14 2:57 pm, Ron Wheeler wrote:
fail2ban is so easy to set up, there is no reason not to set it up.
One of the dangers with fail2ban - at least in its default configuration - is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP.
If your end users configure their own phones, you will have to factor in the increased support burden when users complain that their phones 'can't connect' and you need to manually unblock those IPs. This can be at least partially mitigated using fail2ban's 'ignoreip' directive for IPs you know only your users will be connecting from.
If you've a large number of users, it might be worth splitting them across a pair of servers - one for 'trusted' users, i.e. where each SIP endpoint is locked down to a specific IP (or at least a range), and you can configure your firewall to block SIP connection attempts from anything apart from that list; and one for 'untrusted' users, i.e. travelling users, home workers without static IPs, etc. on which you run fail2ban with a fairly ruthless set of rules/limits.
Unless you know that none of your users travel internationally, I'd be wary of imposing countrywide IP blocks, especially in this era of IP shortage where IP space is being traded on the open market and GeoIP databases may not always keep up to date.
Kind regards, Chris -- This email is made from 100% recycled electrons -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
