From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@vger.kernel.org
Subject: Re: iptables enough to handle brute force attacks?
Date: Tue, 5 Apr 2011 08:52:29 -0500 [thread overview]
Message-ID: <20110405135229.GA32551@cardinal> (raw)
In-Reply-To: <pvplp6t1hsoea6n5sriuna0375k5s79pmm@4ax.com>
On Tue, Apr 05, 2011 at 12:02:38PM +0200, Gilles wrote:
> I need to connect an Asterisk server to the Net so that 1) remote
> users can register and 2) Internet users can ring any extension on
> the server.
>
> I'll use iptables to prevent hackers from trying to register.
>
> I was wondering what solution to use to block brute force attempts:
>
> - just rely on iptables since it offers a way, eg. "iptables -I INPUT
> -p udp --dport 5060 -m state --state NEW -m recent --update --seconds
> 600 --hitcount 2 -j DROP"
2 in 600 might be low for --hitcount, high for --seconds. NEW is just
wrong, because attacks will be ESTABLISHED. See also:
http://www.spinics.net/lists/netfilter/msg49598.html
http://www.spinics.net/lists/netfilter/msg49660.html
http://www.spinics.net/lists/netfilter/msg49676.html
My ruleset is working, at least to block the SIP attackers, but I
still don't know if a non-whitelisted Internet SIP user could ring
extensions. From discussion with a SIP expert, I think even my
--hitcount of 9 in 30 or 18 in 45 might still be too low.
But no more log floods, which is good, my main goal.
> - add Brute Force Detection (BFD), which is a shell script that is
> called by CRON (ie. every minute at most)
> www.rfxn.com/projects/brute-force-detection/
>
> - add SSHGuard, which is apparently a stand-alone binary program that
> doesn't rely on CRON
> www.sshguard.net
>
> This is on an embedded Linux, so there isn't enough RAM to run
> Python-based fail2ban.
On an embedded system, I would use a remote syslog server anyway. Let
your log parsing be done on a less-restricted machine, and have it
ssh in and sudo to do what needs to be done.
> If you have installed Asterisk and iptables, which solution did you
> end up using?
But as mentioned in one of the links above, I don't like log parsing
in general. Just experiment with the -m recent rules and try some
calls.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
next prev parent reply other threads:[~2011-04-05 13:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-05 10:02 iptables enough to handle brute force attacks? Gilles
2011-04-05 13:52 ` /dev/rob0 [this message]
2011-04-07 14:15 ` Gilles
2011-04-28 17:31 ` Alessandro Vesely
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110405135229.GA32551@cardinal \
--to=rob0@gmx.co.uk \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox