Weren't e talking about fail2ban more in the context of invalid sip logins and not invalid vm logins? On Oct 13, 2011 9:13 AM, "Tony Graziano" <tgrazi...@myitdepartment.net> wrote:
> Well said. Whether sipx has the functionality to auto block an ip for a > specified period or not depends on getting that functionality internally. > > "If" the ip addresses are logged into a file, a remote firewall can > potentially harvest them, and when/if sipx has these functionalities, it > could also. It would be nice to have an alarm (that an admin can alter), but > also have a log file(s) with the current banned IP addresses and an archive > of the log file with the IP address and the failed attempts that are > date/timestamped, probably comma delimited or xml so these can be parsed, > reported and harvested for other security uses internally. > > It would also be nice to be able to specify these files locations on a > remote server. > > On Thu, Oct 13, 2011 at 8:58 AM, Gerald Drouillard < > gerryl...@drouillard.ca> wrote: > >> On 10/13/2011 8:22 AM, barisyanar wrote: >> >> I have already defined an alarm for the VM login attempts with the >> existing attempt limitation(3) in a session. >> We may lock the account as in the issue description or block the IP >> manually, but may be after a second attempt, i.e. assuming superadmin is >> notified with the first. >> >> But I am not sure about the idea of a "fail2ban integration(?)" in the >> concept of this issue. Are we talking here about shipping sipx with fail2ban >> and editing its configuration files after this failed attempts in VM? >> Shouldn't this be implemented under a more general issue that aims >> preventing call fraud etc.? >> >> There are a few things to consider in finding a solution that works for >> you: >> >> - Attacks can attempt logins on many accounts - locking that account >> would lock out legitimate users >> - You may have a more that one user coming from the same IP address >> (branch office behind a firewall). >> >> The best solution is locking the account and IP address combo from the >> failed login attempt for a period of time. But that can only be done from >> within sipx and sipx does not have that functionality yet. >> >> Fail2ban, with modifications to the logging level of sipx can lock out the >> IP address and send an admin email if you want. You can whitelist IP's if >> they are a branch office behind a firewall. The only thing that would make >> this more efficient is if sipx naturally logged auth/security info into a >> separate log file. >> >> This is nothing new in the world server security. You just have to look >> at the many techniques used with locking down ssh servers for proven >> solutions. >> >> -- >> Regards >> -------------------------------------- >> Gerald Drouillard >> Technology Architect >> Drouillard & Associates, Inc.http://www.Drouillard.biz >> >> >> _______________________________________________ >> sipx-users mailing list >> sipx-users@list.sipfoundry.org >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> > > > > -- > ====================== > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: tgrazi...@voice.myitdepartment.net > Fax: 434.465.6833 > > Email: tgrazi...@myitdepartment.net > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: helpd...@voice.myitdepartment.net > > Helpdesk Contract Customers: > http://support.myitdepartment.net > > <http://support.myitdepartment.net>Blog: > http://blog.myitdepartment.net > > Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > > Ask about our Internet Fax services! > > > _______________________________________________ > sipx-users mailing list > sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users/ >
_______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/