[VoiceOps] DID's + Asterisk Security

J. Oquendo sil at infiltrated.net
Wed Aug 5 10:35:29 EDT 2009


Peter Beckman wrote:
>  My initial attempt was using sshguard to block web scans:
>
>     tail -n0 -F httpd.log | sed -n -E 's/^(.+?) .+ 404 .+$/\1 404
> access denied/p' | sshguard -a 100 -s 60 -p 1200
>
>  But there are too many pipes involved.  socat is my next attempt.
>

I made a butchery for my own servers. Needs a little tweaking as *
systems differ. Be advised, thresholds are different so if you're in a
provider (mini Vonage) environment, if you don't modify this, you will
find your customer support department answering calls on valid
connections which were blocked.

http://www.infiltrated.net/asterisk-ips.html

I thought about re-writing it using a db, but because of DHCP, clients'
mobility, would be a tough call. An optimal way to do something like
this would be:

W=Account_Name
X=Amount_of_Connection_Attempts
Y=Time
Z=Block


If [ $X >= 100 ] && [ $W >= 30 ] && [ $Y = 60 ]
then
iptables something
fi

Where, is someone attempts to connect say 100 times from 30 different
accounts in under 60 seconds, block em.

I thought about this and how I can streamline it, but if you're in the
managed PBX environment, a hosted customer can have multiple
registrations especially if say their connection flaked. Imagine a
hosted customer going down, coming back up and getting caught in the
error logs. The script if done incorrectly would auto-block them. If
they're in a different timezone where no one can flush out the rules,
they'd have to wait to get reconnected.

I shot off a message to Mark Spencer at Digium (he's the Mark referenced
in the document) about this and other stuff and we spoke briefly, but 1)
Mark is always busy, I was doing this on my own accord for my own
systems, so the incentive to make it an all out project was beyond my scope.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E



More information about the VoiceOps mailing list