[VoiceOps] VoIP Abuse Project

[J. Oquendo]

Leandro Dardini wrote:

> > Hello,
> > I find a blacklist too heavy to manage and unable to catch the fast
> > emerging bruteforcers. As freelancer I suggest to my clients (all on
> > Linux with Asterisk) the install of the fail2ban software.
> >
> > The working of fail2ban software is really simple: it reads the
> > messages generated by the application and if one user try to
> > authenticate with wrong credentials more than X times in the unit of
> > time, then triggers an insert into iptables to not get more packets
> > from him for a long time (adjustable).
> >
> > Leandro
>   

Understood on fail2ban however, I can use fail2ban against you and have
your own servers block their upstream. Fail2Ban "fails" when you're in a
managed PBX arena and your clients are connecting from all over the
place. When you have thousands of customers and some are connecting from
all over the place, fiddling with Softphones, settings in Snom, Polycom,
etc., you will quickly learn that Fail2Ban outright fails.

While a blacklist CAN be cumbersome, this isn't like spam where there
are millions of hosts attempting this per day. At maximum, I've seen
about 15-20 hosts attacking one PBX. It will take me about 20-30 minutes
to whip up a python or shell script to parse them out and upload them. I
already have my honeypot writing to DB, all I have to do is re-write to
gzip and send the full logs.

The hard part is writing an informative email someone will likely never
read (abuse departments). Last thing I want to hear is "you're not
playing fair" when their clients complain.

-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J.
Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to
build a reputation and five minutes to ruin it. If you think about that,
you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA
4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E