Re: [asterisk-users] lock SIP Account after too many failed logins
Dave Platt schrieb: Bad plan? Could quite easily turn into a DoS. If the reaction is to lock the account, I agree, it might leave you prone to a denial-of-service attack. A better way would be to use iptables to start dropping packets from the IP address(es) involved in the attack... this will still allow the legitimate user of the account to access it. TRUE. The block-IP-address-only method won't defend effectively against a slow scan botnet-based crack attempt, where each password-guessing attempt comes from a different IP address in the botnet. A lot of current SSH password-guess probes are of this sort. I don't think there's any terribly good defense against this except to select *good* passwords - e.g. 20 or more alphanumeric characters selected by a good random-number generator. I second that. thanks klaus ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] lock SIP Account after too many failed logins
Hi! I want to detect brute-force password hacking attacks - thus if there are too many failed login attempts for a SIP account I want to lock this account. Does somebody have any ideas how this could be implemented? thanks klaus ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] lock SIP Account after too many failed logins
On 9 Jan 2009, at 16:36, Klaus Darilion wrote: Hi! I want to detect brute-force password hacking attacks - thus if there are too many failed login attempts for a SIP account I want to lock this account. Does somebody have any ideas how this could be implemented? Bad plan? Could quite easily turn into a DoS. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] lock SIP Account after too many failed logins
On Fri, 2009-01-09 at 16:49 +, Steve Howes wrote: On 9 Jan 2009, at 16:36, Klaus Darilion wrote: Hi! I want to detect brute-force password hacking attacks - thus if there are too many failed login attempts for a SIP account I want to lock this account. Does somebody have any ideas how this could be implemented? Bad plan? Could quite easily turn into a DoS. Could this be done at the IP tables level? Or maybe you could write a script that monitors the asterisk logs and detects failed login attempts then adds problematic IP address to hosts.deny. I know of several ssh blocking scripts that work this way. -- Matthew Nicholson Digium, Inc. | Software Developer ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] lock SIP Account after too many failed logins
2009/1/9 Steve Howes st...@geekinter.net On 9 Jan 2009, at 16:36, Klaus Darilion wrote: Hi! I want to detect brute-force password hacking attacks - thus if there are too many failed login attempts for a SIP account I want to lock this account. Does somebody have any ideas how this could be implemented? Bad plan? Could quite easily turn into a DoS. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users I have the same problem, just look here: Jan 9 15:14:37 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:37 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:37 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:37 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:37 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:37 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:38 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:38 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:38 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:38 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:38 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:38 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:39 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:39 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch Jan 9 15:14:39 NOTICE[338] chan_sip.c: Registration from '3CXPhonesip:SIP/00085d101...@83.167.156.171:5060' failed for '91.171.139.135' - Username/auth name mismatch It's not a bad idea maybe to create something like maxloginattemts=x ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] lock SIP Account after too many failed logins
On 11:04, Fri 09 Jan 09, Matthew Nicholson wrote: On Fri, 2009-01-09 at 16:49 +, Steve Howes wrote: On 9 Jan 2009, at 16:36, Klaus Darilion wrote: Hi! I want to detect brute-force password hacking attacks - thus if there are too many failed login attempts for a SIP account I want to lock this account. Does somebody have any ideas how this could be implemented? Bad plan? Could quite easily turn into a DoS. Could this be done at the IP tables level? Or maybe you could write a script that monitors the asterisk logs and detects failed login attempts then adds problematic IP address to hosts.deny. I know of several ssh blocking scripts that work this way. I think fail2ban can do this. It has a configuration file where you can list your logs and regexp matches in this logfile. I use fail2ban on linux to detect those types of attacks on my ftp, imap, pop3, smtp+sasl, ssh etc etc It can take action by blocking the ip for a specified period. The block can be configured. iptables, hosts.deny, pf, ipfw, custom-script-to-send-block-rule-to-cisco-pix,whatever. http://www.fail2ban.org/wiki/index.php/Main_Page -- Matthew Nicholson Digium, Inc. | Software Developer ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users? ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] lock SIP Account after too many failed logins
Check out this howto: http://engineertim.com/?p=16 Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Michiel van Baak mich...@vanbaak.info wrote: On 11:04, Fri 09 Jan 09, Matthew Nicholson wrote: On Fri, 2009-01-09 at 16:49 +, Steve Howes wrote: On 9 Jan 2009, at 16:36, Klaus Darilion wrote: Hi! I want to detect brute-force password hacking attacks - thus if there are too many failed login attempts for a SIP account I want to lock this account. Does somebody have any ideas how this could be implemented? Bad plan? Could quite easily turn into a DoS. Could this be done at the IP tables level? Or maybe you could write a script that monitors the asterisk logs and detects failed login attempts then adds problematic IP address to hosts.deny. I know of several ssh blocking scripts that work this way. I think fail2ban can do this. It has a configuration file where you can list your logs and regexp matches in this logfile. I use fail2ban on linux to detect those types of attacks on my ftp, imap, pop3, smtp+sasl, ssh etc etc It can take action by blocking the ip for a specified period. The block can be configured. iptables, hosts.deny, pf, ipfw, custom-script-to-send-block-rule-to-cisco-pix,whatever. http://www.fail2ban.org/wiki/index.php/Main_Page -- Matthew Nicholson Digium, Inc. | Software Developer ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users? ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] lock SIP Account after too many failed logins
I want to detect brute-force password hacking attacks - thus if there are too many failed login attempts for a SIP account I want to lock this account. Does somebody have any ideas how this could be implemented? The usual method (I think) is to monitor the log files, and detect repeated patterns of suspicious actions occurring within a given period of time. A program such as logwatch (www.logwatch.org) might work, or you could write something in Perl. If you're logging via syslog, you can have syslog write new messages into a pipe as well as into a log file, and thus parse and evaluate new messages immediately with no buffering delay. Bad plan? Could quite easily turn into a DoS. If the reaction is to lock the account, I agree, it might leave you prone to a denial-of-service attack. A better way would be to use iptables to start dropping packets from the IP address(es) involved in the attack... this will still allow the legitimate user of the account to access it. The block-IP-address-only method won't defend effectively against a slow scan botnet-based crack attempt, where each password-guessing attempt comes from a different IP address in the botnet. A lot of current SSH password-guess probes are of this sort. I don't think there's any terribly good defense against this except to select *good* passwords - e.g. 20 or more alphanumeric characters selected by a good random-number generator. To be pro-active, I'd suggest that you acquire a password quality-evaluation program (the Perl Data::Password class from CPAN might be a useful starting point) and check the password quality of all of your SIP accounts. Require a password change for any password of unacceptably low quality. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
