dear friends here again : Sorry about misstyping. the script name well typed is FAIL2BAN . it's so easy to configure and use , just a few steps to put it to work. need to define a rule to detect Fails in the log file ( ie choose what log inspect asterisk.log o, or syslog, or messages. and so on ) for looking some reg expressions inside them ( like " wrong password " , .. an son on ) and to define an action to take when an attack was detected ( ie add iptables rule ) and Voilá!, that is it!!. That's all!!!. you will find examples there with the script take a look here http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk this may guide quickly to setup on asterisk This script will work fine with other services too, vsftp, httpd, SSH, or any user log that you got you can define how many fails will be assumed like attack and how many time leave EACH host banned , also can send a mail to any address using the mta to NOTIFY EVENTS , included start and stop the defense , this so helpfull to larm when rebooting,,,,,, power failrudes ,,,, Believe me , You will find this script so helpfull. i really hope that this may help you too. Join together to keep bad people banned!!!! :-) Think about this : This schema keep in sight to detetct intruders a neturalize your action quickly , and no matters to dive into the nature of the networks. because of for the thieves it's more easy to steal any people that don't have any "alarm" that fight against guys that were alerted and armed !!! and they just will leave us alone when they had seen that were dsicovered. . Good luck, ....and ....... "That the force be with You!" .......or better ....... with "Us" marcos ----- Original Message ----- From: "Secure-SIP-Server" <info@xxxxxxxxxxxxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxx> Sent: Sunday, November 28, 2010 6:31 PM Subject: Re: Denial-of-Service attack on UDP-port 5060 (SIP/VoIP) > @ Pascal Hambourg > > > > I'm suffering on a Denial-of-Service attack on my SIP(VoIP) UDP port > > > 5060, > > > getting more then 70 REGISTER requests per second since yesterday. All > > > comming from the Japanese IP 59.146.75.111:5088. > > [...] > > > How can this requests (UDP) be from a ESTABLISHED connection??? They > > > passed > > > the firewall in the first two examples and therefore they must be > > > ESTABLISHED!?! > > > > UDP being connectionless by nature, the notion of "UDP connection" is > > rather loose. Therefore a continuous flow of packets with the same ports > > and addresses can be considered as one sigle connection even if they are > > actually unrelated requests. > > Yes, looks like. I discovered that this only happens if I add the FW-rule > later then the first connection of the attacker to my SIP-server happened. > When I install the rule to DROP this requests behind > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > I must reboot the server before it works. If I don't want to reboot I must > put the DROP rule before this rule. > > > > Is there a way to tell iptables to lock only a specific IP:PORT for a > > > while > > > if this IP transmits more then 50 requests per second? If so, how? > > > > Check the "recent" match. Be sure you read carefully the man page about > > its default limits. > > Thanks for this!!! But ... > The author of "recent" writes: > "If the '--update' rule is before this check for ! NEW,INVALID packets then > ESTABLISHED connection or those in the process of becoming ESTABLISHED could > be disrupted by a malicious person who can modify his/her source address." > So in his opinion my > iptables -A INPUT -p udp --dport 5060 -m recent --update --seconds > 1 --hitcount 20 -j DROP > must come behind > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > and this leads me to the problem from above. This ACCEPT rule lets pass all > packages, because the first 19 packets in the first second are accepted and > therefore the FW considers the continuous flow of packets with the same port > and address as a single connection - and let them pass here. > > Is there a way to tell the FW that this continuous flow of packets is not to > be considered a ESTABLISHED connection? > > > ---------- > @marcos > > > i had the same trouble in the past , and beyond the rules for your FW > > on > > itself there is " other consideration" to get on mind , all people that > > are trying to steal Voip deploy you "brute force attack" first trying > > with few packets, then if they were not blocked , the real attacks > > begins > > later . because don't have any sense keep attack to a blocked server, > > thay > > are bad no dummies . so the speed with you blocks these tries are so > > critical and will defines to your intruder how effective is the defense > > that you have. > > > > So will be so helpfull install some script that inspect your logs to > > detect > > the intrusion attack , i have very well result with FAIL2BABN, [...] > > Thank you for this idea and your other considerations!!! > > > Regards > > Detlef Pilzecker > Weitlahnerstraße 8 > D - 83209 Prien am Chiemsee > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
