tensai at zmonkey.org
Fri Apr 12 09:27:02 MDT 2013
On 04/12/2013 12:34 AM, S. Dale Morrey wrote:
> Hello pluggers,
> Still working with through issues with a system I'm building and was
> wondering if anyone has had experience with fail2ban. Specifically I would
> like to rate limit failed SIP login attempts, but not necessarily ban
> them. It seems like a lot of PBX in a box type solutions use fail2ban,
> with no really clear explanation of how or why it's being used.
> Can anyone elaborate on this and whether or not this tool is the correct
> choice if all I want to do is rate limit failed attempts on SIP? Also does
> this need iptables to function, or can it work standalone.
The Internet is a dangerous place to put a SIP server. There are a lot
of miscreants out there looking to commit fraud with you as the victim.
Here's an example of the most recent attempt from my logs:
INVITE sip:9810972595589866 at x.x.x.114
From: sip:10 at x.x.x.114
To: sip:9810972595589866 at x.x.x.114
If you are accepting SIP connections from the Internet, I would strongly
advise you to install a SIP proxy in front of your PBX. My personal
recommendation would be Kamailio with the Pike module. Kamailio is
so amazingly efficient at handling these attacks.
I also suggest a naive, but effective, iptables rule to block the most
common SIP scanner out there.
iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string
'friendly-scanner' -j DROP
More information about the PLUG