On 10/15/2010 12:08 PM, Gerald Drouillard wrote: > I forget where I got the idea for this but you may want to try something > like this to limit the udp connections on 5060: > > FILE=/etc/rc.local > echo "iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW > -m recent --set">>$FILE > echo "iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW > -m recent --rcheck --seconds 3600 --hitcount 100 -j DROP">>$FILE > echo "iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW > -m recent --rcheck --seconds 600 --hitcount 20 -j DROP">>$FILE > echo "iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW > -m recent --rcheck --seconds 300 --hitcount 10 -j DROP">>$FILE > echo "iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW > -m recent --rcheck --seconds 180 --hitcount 5 -j DROP">>$FILE > echo "iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW > -m recent --rcheck --seconds 60 --hitcount 3 -j DROP">>$FILE > > To try it out you don't have to put it in the rc.local file, just > execute the commands as root. Example: > /sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW > -m recent --set > > Having just experience my first sipvicious attack I would recommend the following in rc.local:
/sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --set /sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 100 -j REJECT /sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 30 -j REJECT /sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 20 -j REJECT /sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 10 -j REJECT /sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 6 -j REJECT Note the use of REJECT instead of DROP. Inspiration from this came from: http://jcs.org/notaweblog/2010/04/11/properly_stopping_a_sip_flood/ -- Regards -------------------------------------- Gerald Drouillard Technology Architect Drouillard& Associates, Inc. http://www.Drouillard.biz _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/