iptables enough to handle brute force attacks?

iptables enough to handle brute force attacks?

[Gilles]

Hello

	I need to connect an Asterisk server to the Net so that 1) remote
users can register and 2) Internet users can ring any extension on the
server.

I'll use iptables to prevent hackers from trying to register.

I was wondering what solution to use to block brute force attempts:

- just rely on iptables since it offers a way, eg. "iptables -I INPUT
-p udp --dport 5060 -m state --state NEW -m recent --update --seconds
600 --hitcount 2 -j DROP"

- add Brute Force Detection (BFD), which is a shell script that is
called by CRON (ie. every minute at most)
www.rfxn.com/projects/brute-force-detection/

- add SSHGuard, which is apparently a stand-alone binary program that
doesn't rely on CRON
www.sshguard.net

This is on an embedded Linux, so there isn't enough RAM to run
Python-based fail2ban.

If you have installed Asterisk and iptables, which solution did you
end up using?

Thank you.

Re: iptables enough to handle brute force attacks?

[/dev/rob0]

On Tue, Apr 05, 2011 at 12:02:38PM +0200, Gilles wrote:
> I need to connect an Asterisk server to the Net so that 1) remote
> users can register and 2) Internet users can ring any extension on
> the server.
> 
> I'll use iptables to prevent hackers from trying to register.
> 
> I was wondering what solution to use to block brute force attempts:
> 
> - just rely on iptables since it offers a way, eg. "iptables -I INPUT
> -p udp --dport 5060 -m state --state NEW -m recent --update --seconds
> 600 --hitcount 2 -j DROP"

2 in 600 might be low for --hitcount, high for --seconds. NEW is just 
wrong, because attacks will be ESTABLISHED. See also:
    http://www.spinics.net/lists/netfilter/msg49598.html
    http://www.spinics.net/lists/netfilter/msg49660.html
    http://www.spinics.net/lists/netfilter/msg49676.html

My ruleset is working, at least to block the SIP attackers, but I 
still don't know if a non-whitelisted Internet SIP user could ring 
extensions. From discussion with a SIP expert, I think even my 
--hitcount of 9 in 30 or 18 in 45 might still be too low.

But no more log floods, which is good, my main goal.

> - add Brute Force Detection (BFD), which is a shell script that is
> called by CRON (ie. every minute at most)
> www.rfxn.com/projects/brute-force-detection/
> 
> - add SSHGuard, which is apparently a stand-alone binary program that
> doesn't rely on CRON
> www.sshguard.net
> 
> This is on an embedded Linux, so there isn't enough RAM to run
> Python-based fail2ban.

On an embedded system, I would use a remote syslog server anyway. Let 
your log parsing be done on a less-restricted machine, and have it 
ssh in and sudo to do what needs to be done.

> If you have installed Asterisk and iptables, which solution did you
> end up using?

But as mentioned in one of the links above, I don't like log parsing 
in general. Just experiment with the -m recent rules and try some 
calls.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: iptables enough to handle brute force attacks?

[Gilles]

On Tue, 5 Apr 2011 08:52:29 -0500, /dev/rob0 <rob0@gmx.co.uk> wrote:
>But as mentioned in one of the links above, I don't like log parsing 
>in general. Just experiment with the -m recent rules and try some 
>calls.

Thanks for the help.

Re: iptables enough to handle brute force attacks?

[Alessandro Vesely]

Sorry for chiming in late...

On 05/Apr/11 12:02, Gilles wrote:
> I'll use iptables to prevent hackers from trying to register.
> 
> [...]
> 
> This is on an embedded Linux, so there isn't enough RAM to run
> Python-based fail2ban.

This package is similar, but doesn't use Python (it uses Berkeley DB,
though)  https://savannah.nongnu.org/projects/ipqbdb/