Well, the whole thing about 4.6 is that there is a beginning in how
security can be centralized. It's a three pronged approach:
1. Firewall (until such time as it becomes a service in a cloud instance),
then
2. onboard firewall (iptables) which has some automatic configuration stuff
in 4.6, but doesn't do things like some of the more elegant methods like
fail2ban and denyhost, then
3. proxy. The proxy in 4.6 has a dos protection mechanism.
So in my immediate needs, I looked at 4.4 (an earlier) and was trying to be
creative in finding a method that anyone can implement without breaking an
older installation and adding a layer of protection. For instance, since
"friendly-scanner" is blocked at the firewall the proxy is unencumbered to
deal with it but since it's trivial to change the UA string in the sip
vicious script, the limiting for the IP address still works and the proxy
is only briefly bothered.
I also think an ACL using IP zone files is a great idea, though I think
it's better to roll that into sipxconfig to make security more robust
(block or allow certain zones/countries, etc.), to lessen the footprint an
attack can harness.
I also think it would be trivial to include FTP rate limiting in my example
too. As I said, 4.6 is different and likely headed for http/https provision
sometime soon.
If you have examples, the wiki would be a good place to add them!
Interesting, thanks for sharing! I like the approach DenyHosts takes :****
** **
http://denyhosts.sourceforge.net/****
** **
It can be configured to look at all services rather than just SSH. It does
so by watching /var/log/secure. If sipXecs were to report activity to the
system log facilities, DenyHosts should be able to pick up the attack and
upload the offending host IP to the central server. As an example, it
picked up this ftp brute force attack this week on one of my hosts : ****
** **
vsftpd:****
Unknown Entries:****
check pass; user unknown: 749 Time(s)****
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin
rhost=di7s00009.lunarbreeze.com : 225 Time(s)****
authentication failure; logname= uid=0 euid=0 tty=ftp
ruser=administrator rhost=di7s00009.lunarbreeze.com : 225 Time(s)****
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test
rhost=di7s00009.lunarbreeze.com : 225 Time(s)****
authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test123
rhost=di7s00009.lunarbreeze.com : 74 Time(s)****
** **
In the past I have also used DenyHosts to kick off a ruby script to email
the abuse email addresses from the offending IP's whois. It would record
the portion of the logs containing the attack and give notification to the
network admin the IP has been uploaded to the central server. In other
words you can play offense as well as defense, if you so choose.****
** **
** **
*Sent:* Monday, October 01, 2012 12:29 PM
*To:* Sipx-users list
*Subject:* [sipx-users] New wiki page for the masses :: DOS proptection
using iptables (4.4 and earlier)****
** **
Please see:****
** **
http://wiki.sipfoundry.org/display/sipXecs/Basic+DOS+%28onboard+with+iptables%29+protection+in+sipx+4.4+and+later
****
** **
Constructive comments and criticism are always welcome. The idea here was
to deny "friendly-scanner" and rate limit "remote hosts" only.
****
** **
--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~****
** **
Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>****
** **
** **
LAN/Telephony/Security and Control Systems Helpdesk:****
Telephone: 434.984.8426****
** **
Helpdesk Customers: http://myhelp.myitdepartment.net****
Blog: http://blog.myitdepartment.net****
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~
Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net
Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net