Firewall Wizards mailing list archives
Re: SIP dictionary attacks
From: Joe Nall <joe () nall com>
Date: Fri, 3 Apr 2009 18:48:48 -0500
On Apr 2, 2009, at 2:08 PM, Lord Sporkton wrote:
I'm using openbsd as my firewall, in which there is a connection/time feature. I can set it to block any ip that makes X connection with in X time. for instance if someone connects to my ssh port more than 3 times in 30 seconds, they get blocked, since your on sip, you could do like say, anyone connecting more than 5 times in 5 minutes gets blocked, sip usually doesnt have that many connections, it just connects then its up sorta thing. I believe there is a version of this in iptables, but ive never seen it in a hardware firewall.
fail2ban can do this with iptables joe
That is at least how i solved the problem you face. 2009/4/1 Paul D. Robertson <paul () compuwar net>:Well, besides losing my voice which has given me a little time to catch up on things, one of my problems last week was a successful dictionary attackagainst a SIP extension with an eight digit password.Obviously, I've changed the passwords and lengths, but I did want to makesure folks knew that there were active attacks out there, and they'reobviously scanning for systems randomly, since the system in question was only recently moved to a new IP address space. The initial scans camefrom a box in China (surprise!)Anyway, all I've found for blocking outside of static IP address ranges isa bunch of check the logs and react stuff for Linux. I'm starting tothink IPS might actually have a use- time to Google for snort inline sutffI suppose.Attackers made about calls out to people telling them they owed money.Calls were initiated from Europe, Asia and the US. Likely from compromised hosts. Paul -----------------------------------------------------------------------------Paul D. Robertson "My statements in this message are personal opinionspaul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- SIP dictionary attacks Paul D. Robertson (Apr 01)
- Re: SIP dictionary attacks Lord Sporkton (Apr 02)
- Re: SIP dictionary attacks Paul D. Robertson (Apr 02)
- Re: SIP dictionary attacks Lord Sporkton (Apr 02)
- Re: SIP dictionary attacks Paul D. Robertson (Apr 02)
- Re: SIP dictionary attacks Paul D. Robertson (Apr 02)
- Re: SIP dictionary attacks Joe Nall (Apr 04)
- Re: SIP dictionary attacks Lord Sporkton (Apr 02)