fail2ban ??

Corey Edwards tensai at zmonkey.org
Fri Apr 12 09:27:02 MDT 2013


On 04/12/2013 12:34 AM, S. Dale Morrey wrote:
> Hello pluggers,
> 
> Still working with through issues with a system I'm building and was
> wondering if anyone has had experience with fail2ban.  Specifically I would
> like to rate limit failed SIP login attempts, but not necessarily ban
> them.  It seems like a lot of PBX in a box type solutions use fail2ban,
> with no really clear explanation of how or why it's being used.
> 
> Can anyone elaborate on this and whether or not this tool is the correct
> choice if all I want to do is rate limit failed attempts on SIP?  Also does
> this need iptables to function, or can it work standalone.

The Internet is a dangerous place to put a SIP server. There are a lot
of miscreants out there looking to commit fraud with you as the victim.
Here's an example of the most recent attempt from my logs:

    INVITE sip:9810972595589866 at x.x.x.114
    From: sip:10 at x.x.x.114
    To: sip:9810972595589866 at x.x.x.114
    IP: 137.117.68.91
    Call-ID: be030c5ab857186708d888f973da423a

If you are accepting SIP connections from the Internet, I would strongly
advise you to install a SIP proxy in front of your PBX. My personal
recommendation would be Kamailio[1] with the Pike module[2]. Kamailio is
so amazingly efficient at handling these attacks.

I also suggest a naive, but effective, iptables rule to block the most
common SIP scanner out there.

iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string
'friendly-scanner' -j DROP

Corey

1. http://www.kamailio.org/w/
2. http://www.kamailio.org/docs/modules/4.1.x/modules/pike.html


More information about the PLUG mailing list