Skip to content

BFD (Brute Force) rule for Asterisk

I whipped up a BFD rule to try and defend against sip attacks.  This watches for failed logins in the /var/log/asterisk/full log and then blocks them.  I set the TRIG level low so you might need to change this to something you are more comfortable with.  

 

Drop this file in /usr/local/bfd/rules/

Name the file asterisk

 

 


# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="5"

# file must exist for rule to be active
REQ="/usr/sbin/asterisk"

if [ -f "$REQ" ]; then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk"
TMP="/usr/local/bfd/tmp"

## ASTERISK
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF |grep "Wrong password" /var/log/asterisk/full | awk '{NF=NF-3} { print $NF}'| tr -d '\'\' `
fi