Mike, Thanks for this info! I like the RSA key feature and have no problem carrying a USB key. I think this is the next best thing when compared to SecureID toys. A Dual Authentication system with a USB toy is definitely the best option!
Cheers, Reza. ----- Original Message ----- From: Mike Ashton To: [email protected] Sent: Tuesday, March 28, 2006 5:39 PM Subject: Re: [on-asterisk] Attacks - DDoS on Asterisk Server Reza, Take a look at this page it will show a few different ways to bring it under control. http://la-samhna.de/library/brutessh.html The best way is to use RSA keys, just means u need to carry a USB key with you if you want to log on from somewhere else. If not this use the tcp_wrapper method, is pretty easy to implement. Mike John Van Ostrand wrote: On Tue, 2006-03-28 at 15:51 -0500, Reza - Asterisk Enthusiast wrote: Ok... some people have absolutely no respect for other people's hard work - not knowing that they are hurting a small time business owner versus corporations. Having said that, even attacking large corporations with DDoS is equally sick because in many cases shareholders themselves are hardworking people - who invested their life savings. I don't see a difference between a criminal trying to break open the locked door of a family owned convenience store vs. trying to break into a individually owned server. So... why do I post this message here? Last evening I received EXACTLY 63510 attempts to login into my Asterisk server at my colo. My server is taking a GOOD BEATING - and the only thing that is happening is my logs are getting populated at a rate of 10 megs per day and bandwidth increasing. I know a number of software based firewalls for Linux, but is there any software application out there, that utilizes relatively low CPU resources, to prevent or slow down DDoS - that any of you have ACTUALLY implemented? I have a Fortigate firewall solution on another server, but those toys are expensive. I'm not ready to pitch in another large sum of money for this... but at the end if I have to... I have to. The quick fix is to allow SSH ONLY from my range of IP's - but that is only a Band-Aid solution. What is disturbing though is that these "people with no respect", are targeting my Asterisk Server. This is why it's bugging me! Your thoughts and inputs on what measures you take to protect your servers from DDoS is greatly appreciated... specially those of you who are running Asterisk for business purposes! The system that the attack is coming from is likely a compromised system and the owner/administrator is probably unaware that it is happening, so I don't recommend that you take strong action against the person. Iptables is the elegant, but complex way of limiting connections. Newer versions of the kernel have an ipt_recent module that allows you to detect and temporarily (or permanently) shutdown offending IP addresses based on how many times in a given duration that a connection has been made. This is one way to solve the problem and I recommend it if you are interested in learning firewalling. However, it can be somewhat complex and if you want to avoid the complexity you could simple move your SSH port. Edit your /etc/ssh/sshd_config file and change "Port 22" to something like "Port 62200" or your street address, whatever, just stay away from ports listed in /etc/services. Then to SSH in use the -p option of ssh (or putty if you're stuck with Windows) to connect using the alternate port number. I don't recommend blocking their address manually. Although it will stop the attack initially, you will eventually be attacked from another IP address. It's not uncommon to be hit from more than one Ip simultaneously. -- John Van Ostrand Net Direct Inc. Director of Technology 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 map [EMAIL PROTECTED] Ph: 519-883-1172 ext.5102 Linux Solutions / IBM Hardware Fx: 519-883-8533 -- Mike Ashton Quality Track Intl Ph: 647-722-2092 x 251 Cell: 416-527-4995 Fax: 416-352-6043 QTI CONFIDENTIAL AND PROPRIETARY INFORMATION The contents of this material are confidential and proprietary to Quality Track International, Inc. and may not be reproduced, disclosed, distributed or used without the express permission of an authorized representative of QTI. Use for any purpose or in any manner other than that expressly authorized is prohibited. If you have received this communication in error, please immediately delete it and all copies, and promptly notify the sender. ------------------------------------------------------------------------------ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
