Archive for July, 2009

asterisk bfd (brute force detection) rules for sip and iax

Tuesday, July 21st, 2009

Thank you to a couple users who pointed out that my bfd rules were a little less than perfect. They worked great for me on a older version of bfd, but I believe a update to the bfd application caused them to stop working. Either way, new rules have been created.

This one is for SIP wrong passwords. Save this as asterisksip

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="5"

# file must exist for rule to be active
REQ="/usr/sbin/asterisk"

if [ -f "$REQ" ]
then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk.sip"
TMP="/usr/local/bfd/tmp"

## ASTERISK: SIP wrong password
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "wrong password" | grep chan_sip | awk '{NF=NF-3} {print $NF}'| tr -d '\'\' `
fi

This rule is for wrong or non existent extension. Save this as asterisksip2

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="5"

# file must exist for rule to be active
REQ="/usr/sbin/asterisk"

if [ -f "$REQ" ]
then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk.sip2"
TMP="/usr/local/bfd/tmp"

## ASTERISK: SIP no extension
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "No matching peer found" | grep chan_sip | awk '{NF=NF-5} {print $NF}'| tr -d '\'\' `
fi

This rule is for IAX. Save this as asteriskiax.

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value

TRIG="5"
# file must exist for rule to be active
REQ="/usr/sbin/asterisk"


if [ -f "$REQ" ]
then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk.iax"
TMP="/usr/local/bfd/tmp"

## ASTERISK: IAX2 auth failed

ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "failed MD5 authentication" | grep chan_iax2 | awk '{NF=NF-8} {print $NF}'`
fi

Special thanks goes to Ioan Indreias and Gonzalo Gonzalez.
If it looks like the code is missing, try to highlight it all and copy/paste it into a text document. Hopefully this will show the entire rule without issue.
Make sure these rules are stored in /usr/local/bfd/rules/ Then rerun bfd with bfd -q and see if the new rules are in place by checking for the files in /usr/local/bfd/tmp/ .

Thank you,
Engineer Tim

Posted in Linux, apf / bfd, iptables | 2 Comments »

XenForge.org is online, come and get them!!

Wednesday, July 8th, 2009

I had so many requests for my trixbox Xen image that I decided to create a new site. XenForge.org is this site. My hope is that people will be able to share their own Xen images with other users as well as use the ones that I create. This site is also not just limited to Xen based images but all images that can be portable and use some form of virtualization technology will be welcome. The only criteria is that no copyright violations or sharing of copyrighted material happens. This means OpenSource and derivatives only.

Currently XenForge offers the following.
Xen Image downloads via Bittorrent links.
The ability to add your own torrent file to the site for others to download.
Forums to discuss the Xen images and config options.

We hope to be able to offer the means to post torrent files directly to our torrent server from a user. This is something that is currently being looked at. Right now users can submit a image for approval and we will be happy to generate the torrent and seed it directly. This is a manual process right now.

Feel free to join us on XenForge if you have the need for some Xen images.

Thank you,
Engineer Tim

Posted in Linux, trixbox, xen, xenforge | No Comments »