Leandro Dardini wrote:
Hello, I find a blacklist too heavy to manage and unable to catch the fast emerging bruteforcers. As freelancer I suggest to my clients (all on Linux with Asterisk) the install of the fail2ban software.
The working of fail2ban software is really simple: it reads the messages generated by the application and if one user try to authenticate with wrong credentials more than X times in the unit of time, then triggers an insert into iptables to not get more packets from him for a long time (adjustable).
Leandro
Understood on fail2ban however, I can use fail2ban against you and have your own servers block their upstream. Fail2Ban "fails" when you're in a managed PBX arena and your clients are connecting from all over the place. When you have thousands of customers and some are connecting from all over the place, fiddling with Softphones, settings in Snom, Polycom, etc., you will quickly learn that Fail2Ban outright fails. While a blacklist CAN be cumbersome, this isn't like spam where there are millions of hosts attempting this per day. At maximum, I've seen about 15-20 hosts attacking one PBX. It will take me about 20-30 minutes to whip up a python or shell script to parse them out and upload them. I already have my honeypot writing to DB, all I have to do is re-write to gzip and send the full logs. The hard part is writing an informative email someone will likely never read (abuse departments). Last thing I want to hear is "you're not playing fair" when their clients complain. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E