From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@vger.kernel.org
Subject: Re: iptables enough to handle brute force attacks?
Date: Tue, 5 Apr 2011 08:52:29 -0500 [thread overview]
Message-ID: <20110405135229.GA32551@cardinal> (raw)
In-Reply-To: <pvplp6t1hsoea6n5sriuna0375k5s79pmm@4ax.com>
On Tue, Apr 05, 2011 at 12:02:38PM +0200, Gilles wrote:
> I need to connect an Asterisk server to the Net so that 1) remote
> users can register and 2) Internet users can ring any extension on
> the server.
>
> I'll use iptables to prevent hackers from trying to register.
>
> I was wondering what solution to use to block brute force attempts:
>
> - just rely on iptables since it offers a way, eg. "iptables -I INPUT
> -p udp --dport 5060 -m state --state NEW -m recent --update --seconds
> 600 --hitcount 2 -j DROP"
2 in 600 might be low for --hitcount, high for --seconds. NEW is just
wrong, because attacks will be ESTABLISHED. See also:
http://www.spinics.net/lists/netfilter/msg49598.html
http://www.spinics.net/lists/netfilter/msg49660.html
http://www.spinics.net/lists/netfilter/msg49676.html
My ruleset is working, at least to block the SIP attackers, but I
still don't know if a non-whitelisted Internet SIP user could ring
extensions. From discussion with a SIP expert, I think even my
--hitcount of 9 in 30 or 18 in 45 might still be too low.
But no more log floods, which is good, my main goal.
> - add Brute Force Detection (BFD), which is a shell script that is
> called by CRON (ie. every minute at most)
> www.rfxn.com/projects/brute-force-detection/
>
> - add SSHGuard, which is apparently a stand-alone binary program that
> doesn't rely on CRON
> www.sshguard.net
>
> This is on an embedded Linux, so there isn't enough RAM to run
> Python-based fail2ban.
On an embedded system, I would use a remote syslog server anyway. Let
your log parsing be done on a less-restricted machine, and have it
ssh in and sudo to do what needs to be done.
> If you have installed Asterisk and iptables, which solution did you
> end up using?
But as mentioned in one of the links above, I don't like log parsing
in general. Just experiment with the -m recent rules and try some
calls.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
next prev parent reply other threads:[~2011-04-05 13:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-05 10:02 iptables enough to handle brute force attacks? Gilles
2011-04-05 13:52 ` /dev/rob0 [this message]
2011-04-07 14:15 ` Gilles
2011-04-28 17:31 ` Alessandro Vesely
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110405135229.GA32551@cardinal \
--to=rob0@gmx.co.uk \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.