[VoiceOps] DID's + Asterisk Security

J. Oquendo sil at infiltrated.net
Wed Aug 5 10:35:29 EDT 2009

Peter Beckman wrote:
>  My initial attempt was using sshguard to block web scans:
>     tail -n0 -F httpd.log | sed -n -E 's/^(.+?) .+ 404 .+$/\1 404
> access denied/p' | sshguard -a 100 -s 60 -p 1200
>  But there are too many pipes involved.  socat is my next attempt.

I made a butchery for my own servers. Needs a little tweaking as *
systems differ. Be advised, thresholds are different so if you're in a
provider (mini Vonage) environment, if you don't modify this, you will
find your customer support department answering calls on valid
connections which were blocked.


I thought about re-writing it using a db, but because of DHCP, clients'
mobility, would be a tough call. An optimal way to do something like
this would be:


If [ $X >= 100 ] && [ $W >= 30 ] && [ $Y = 60 ]
iptables something

Where, is someone attempts to connect say 100 times from 30 different
accounts in under 60 seconds, block em.

I thought about this and how I can streamline it, but if you're in the
managed PBX environment, a hosted customer can have multiple
registrations especially if say their connection flaked. Imagine a
hosted customer going down, coming back up and getting caught in the
error logs. The script if done incorrectly would auto-block them. If
they're in a different timezone where no one can flush out the rules,
they'd have to wait to get reconnected.

I shot off a message to Mark Spencer at Digium (he's the Mark referenced
in the document) about this and other stuff and we spoke briefly, but 1)
Mark is always busy, I was doing this on my own accord for my own
systems, so the incentive to make it an all out project was beyond my scope.


J. Oquendo

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E

More information about the VoiceOps mailing list