Carlos Alvarez wrote:
Leandro Dardini wrote:
I am sorry, but I really don't understand how fail2ban can be used against me.
It's a simple/easy DOS attack. If someone can send packets with a spoofed source address, they can cause you to filter your upstream or your client. For the upstream providers with static IPs, that should be easy to fix with a whitelist. I don't believe that knowing your customers' dynamic IPs is a realistic attack.
My experience with repeated attempts to crack SIP is that it only happens to us if we have simple registration names (IE, registration name is the extension number). We've gone away from that completely and I can't recall the last time we saw someone try to brute force one of our accounts. I see registration attempts against sequential numbers (301, 302, 303.....) but since the accounts simply don't exist, there's really little harm.
All one has to do is an nslookup and hit the field for fail2ban, e.g.: Username "place an IP address RIGHT_HERE"@registrar Care to see stupidity? [2010-09-20 01:16:17] WARNING[8395] chan_sip.c: Bad request protocol THE TEXT FILE IN THE RAR FOR THE PASSWORD!!!@208.50.xx.xxx SIP/2.0 [2010-09-20 01:16:17] WARNING[8395] chan_sip.c: Bad request protocol THE TEXT FILE IN THE RAR FOR THE PASSWORD!!!!@208.50.xx.xxx SIP/2.0 [2010-09-20 01:16:17] NOTICE[8395] chan_sip.c: Registration from '"READ THE TEXT FILE IN THE RAR FOR THE PASSWORD!!!!"<sip:READ THE TEXT FILE IN THE RAR FOR THE PASSWORD!!!!@208.50.xx.xxx>' failed for '69.72.242.170' - Device does not match ACL [2010-09-20 01:16:17] WARNING[8395] chan_sip.c: Bad request protocol THE TEXT FILE IN THE RAR FOR THE PASSWORD!!!!@208.50.xx.xxx SIP/2.0 [2010-09-20 01:16:17] WARNING[8395] chan_sip.c: Bad request protocol THE TXT IN THE RAR FOR THE PASSWORD!!!!!!!!!@208.50.xx.xxx SIP/2.0 [2010-09-20 01:16:17] NOTICE[8395] chan_sip.c: Registration from '"READ THE TXT IN THE RAR FOR THE PASSWORD!!!!!!!!!"<sip:READ THE TXT IN THE RAR FOR THE PASSWORD!!!!!!!!!@208.50.xx.xxx>' failed for '69.72.242.170' - Device does not match ACL [2010-09-20 01:16:17] WARNING[8395] chan_sip.c: Bad request protocol THE TXT IN THE RAR FOR THE PASSWORD!!!!!!!!!@208.50.xx.xxx SIP/2.0 [2010-09-20 01:16:23] WARNING[8395] chan_sip.c: Bad request protocol PASSWORD IS IN THE FILE at 208.50.xx.xxx SIP/2.0 [2010-09-20 01:16:23] NOTICE[8395] chan_sip.c: Registration from '"THE PASSWORD IS IN THE FILE"<sip:THE PASSWORD IS IN THE FILE at 208.50.xx.xxx>' failed for '69.72.242.170' - Device does not match ACL [2010-09-20 01:16:23] WARNING[8395] chan_sip.c: Bad request protocol PASSWORD IS IN THE FILE at 208.50.xx.xxx SIP/2.0 [2010-09-20 01:16:24] WARNING[8395] chan_sip.c: Bad request protocol PASSWORD IS IN THE RAR at 208.50.xx.xxx SIP/2.0 [2010-09-20 01:16:24] NOTICE[8395] chan_sip.c: Registration from '"THE PASSWORD IS IN THE RAR"<sip:THE PASSWORD IS IN THE RAR at 208.50.xx.xxx>' failed for '69.72.242.170' - Device does not match ACL [2010-09-20 01:16:24] WARNING[8395] chan_sip.c: Bad request protocol PASSWORD IS IN THE RAR at 208.50.xx.xxx SIP/2.0 [2010-09-20 01:16:24] NOTICE[8395] chan_sip.c: Registration from '"this-is-a-password"<sip:this-is-a-password at 208.50.xx.xxx>' failed for '69.72.242.170' - Device does not match ACL [2010-09-20 01:16:24] NOTICE[8395] chan_sip.c: Registration from '"this-is-a-stupid-password"<sip:this-is-a-stupid-password at 208.50.xx.xxx>' failed for '69.72.242.170' - Device does not match ACL Fail2Ban separates on fields, e.g., awk '{print $X}' # awk '/[assword]/{print $15}' TodaysLogs|sort -u - 1 '7182b14a1230885704b1002c09bc4774 at 208.50.xx.xxx'. '79dfff0f0359dea6360a52270266be12 at 208.50.xx.xxx'. '7fd16dc55ce9bd2173b95b5d38a2c301 at 208.50.xx.xxx'. does for got host=dynamic IN Inside at 208.50.xx.xxx>' INSIDE!!!@208.50.xx.xxx>' match ME.TXT at 208.50.xx.xxx>' mokey at 208.50.xx.xxx>' packet. "PASSWORD PASSWORD!!!!!!!!!@208.50.xx.xxx PASSWORD!!!!!!!!!"<sip:READ READ Response) seconds SIP/2.0 supposed Text TEXT THE TXT up. use Normally, in Asterisk, my configuration should print an invalid address on the 11th field: # awk '/[assword]/{print $11}' TodaysLogs|sort -u - / )@208.50.xx.xxx>' .38 Bank at 208.50.xx.xxx>' but [By] Ca at 208.50.xx.xxx>' CALLED chapparal at 208.50.xx.xxx>' context daddy?@208.50.xx.xxx>' Day DJP at l@@208.50.xx.xxx>' Door at 208.50.xx.xxx>' Dude at 208.50.xx.xxx>' enjoy at 208.50.xx.xxx>' expected. FILE for freeliz.ru at 208.50.xx.xxx>' future hardNloud.co.nr at 208.50.xx.xxx>' Head at 208.50.xx.xxx>' Hidin'@208.50.xx.xxx>' image In IN Inside INSIDE Inside at 208.50.xx.xxx INSIDE!!!@208.50.xx.xxx Inside"<sip:Read INSIDE!!!"<sip:READ job Know at 208.50.xx.xxx>' ME.TXT at 208.50.xx.xxx ME.TXT"<sip:READ (missing mokey at 208.50.xx.xxx mokey"<sip:i Muzik at 208.50.xx.xxx>' -N- Need NEEDED at 208.50.xx.xxx>' nj at 208.50.xx.xxx>' nYoy at 208.50.xx.xxx>' One other party Pass at 208.50.xx.xxx>' password "PASSWORD Password at 208.50.xx.xxx>' peer qualify: .rar at 208.50.xx.xxx>' .RAR!!!@208.50.xx.xxx>' RAR at 208.50.xx.xxx>' READ reply RTP rund at 208.50.xx.xxx>' SIP/2.0 Spot at 208.50.xx.xxx>' THE thejukejointmp3.net at 208.50.xx.xxx>' to tonight at 208.50.xx.xxx>' tummut at 208.50.xx.xxx>' UffePuff at 208.50.xx.xxx>' Upon useeeeeee at 208.50.xx.xxx>' useless at 208.50.xx.xxx>' vrijemp3.biz at 208.50.xx.xxx>' Warez-BB.org at 208.50.xx.xxx>' Weed at 208.50.xx.xxx>' westpark at 208.50.xx.xxx>' So no thank you on fail2ban. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E