[VoiceOps] DID's + Asterisk Security
sil at infiltrated.net
Wed Aug 5 10:35:29 EDT 2009
Peter Beckman wrote:
> My initial attempt was using sshguard to block web scans:
> tail -n0 -F httpd.log | sed -n -E 's/^(.+?) .+ 404 .+$/\1 404
> access denied/p' | sshguard -a 100 -s 60 -p 1200
> But there are too many pipes involved. socat is my next attempt.
I made a butchery for my own servers. Needs a little tweaking as *
systems differ. Be advised, thresholds are different so if you're in a
provider (mini Vonage) environment, if you don't modify this, you will
find your customer support department answering calls on valid
connections which were blocked.
I thought about re-writing it using a db, but because of DHCP, clients'
mobility, would be a tough call. An optimal way to do something like
this would be:
If [ $X >= 100 ] && [ $W >= 30 ] && [ $Y = 60 ]
Where, is someone attempts to connect say 100 times from 30 different
accounts in under 60 seconds, block em.
I thought about this and how I can streamline it, but if you're in the
managed PBX environment, a hosted customer can have multiple
registrations especially if say their connection flaked. Imagine a
hosted customer going down, coming back up and getting caught in the
error logs. The script if done incorrectly would auto-block them. If
they're in a different timezone where no one can flush out the rules,
they'd have to wait to get reconnected.
I shot off a message to Mark Spencer at Digium (he's the Mark referenced
in the document) about this and other stuff and we spoke briefly, but 1)
Mark is always busy, I was doing this on my own accord for my own
systems, so the incentive to make it an all out project was beyond my scope.
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
More information about the VoiceOps