I whipped up a BFD rule to try and defend against sip attacks. This watches for failed logins in the /var/log/asterisk/full log and then blocks them. I set the TRIG level low so you might need to change this to something you are more comfortable with.
Drop this file in /usr/local/bfd/rules/
Name the file asterisk
# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="5"
# file must exist for rule to be active
REQ="/usr/sbin/asterisk"
if [ -f "$REQ" ]; then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk"
TMP="/usr/local/bfd/tmp"
## ASTERISK
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF |grep "Wrong password" /var/log/asterisk/full | awk '{NF=NF-3} { print $NF}'| tr -d '\'\' `
fi
# uncomment to override conf.bfd trig value
TRIG="5"
# file must exist for rule to be active
REQ="/usr/sbin/asterisk"
if [ -f "$REQ" ]; then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk"
TMP="/usr/local/bfd/tmp"
## ASTERISK
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF |grep "Wrong password" /var/log/asterisk/full | awk '{NF=NF-3} { print $NF}'| tr -d '\'\' `
fi
Hi Tim,
Great idea for blocking failed SIP login attempts.
Unfortunately Wordpress is messing with your code if you try and copy/paste it – especially all the quotes! I added the code colorer plugin for Wordpress to my blog to sort out that problem – http://wordpress.org/extend/plugins/codecolorer/
Matt
hmm… amazing.
I tried to get the plugin to work. Still munges some of the text on the page but I think it is ok to copy/paste it now. I will try to clean it up more and fix the formatting at a later date.
Thank you,
Engineer Tim
Wonderfull…
Hi! I was surfing and found your blog post… nice! I love your blog.
Cheers! Sandra. R.