Hi
You could do somethink like this in Perl:
#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked;
my $action;
open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log
file file exist\?\n\n";
while (<MYINPUTFILE>) {
my ($line) = $_;
chomp($line);
if ($line =~ m/\' failed for \'(.*?):\d+\' - No matching peer found/) {
push(@failhost,$1);
}
if ($line =~ m/\' failed for \'(.*?):\d+\' - Wrong password/) {
push(@failhost,$1);
}
}
my $blockedhosts = `/sbin/iptables -n -L asterisk`;
while ($blockedhosts =~ /(.*)/g) {
my ($line2) = $1;
chomp($line2);
if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
$currblocked{ $1 } = 'blocked';
}
}
if (@failhost) {
&count_unique(@failhost);
while (my ($ip, $count) = each(%addblocked)) {
if (exists $currblocked{ $ip }) {
} else {
$action = `/sbin/iptables -I asterisk -s $ip -j REJECT`;
print "$ip blocked. $count attempts.\n";
}
}
} else {
# print "no failed registrations.\n";
}
sub count_unique {
my @array = @_;
my %count;
map { $count{$_}++ } @array;
map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
}
Mind, this would NOT block attempts via IPv6. So I have stopped using that
script, also reading the file over and over again is not very performant.
I have not opted to using my MirkroTik Firewall to block failed attempts,
similar rules can also be make with iptables:
In the Mangle Ruleset:
1 ;;; SIP Check Unauth
chain=forward action=add-dst-to-address-list protocol=udp
src-address-list=SIP-Servers address-list=sip-auth-fail
address-list-timeout=10m
out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized
log=no log-prefix=""
2 ;;; tcp sip check auth fail
chain=forward action=add-dst-to-address-list protocol=tcp
src-address-list=SIP-Servers address-list=sip-auth-fail
address-list-timeout=10m
out-interface=IMP-PPPOE src-port=5060 content=SIP/2.0 401 Unauthorized
log=no log-prefix=""
And then you just block all source address from sip-auth-fail in your
forwarding table. This works for IPv6 and IPv4.
(Als yes, depending on the speed of your link, this also could be ressource
intensive on your firewall, as it does full packet inspection.
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
