Calls from Asterisk and SIP, will Fail2Ban help?

Discussion in 'General' started by RizSher, Aug 7, 2010.

  1. RizSher

    Joined:
    Jun 9, 2007
    Messages:
    13
    Likes Received:
    0
    For the last couple of days, have been getting calls from

    119.147.116.XXX
    113.105.153.XXX
    218.116.19.XXX

    with CLIDs of Asterisk and SIP. Googled these IP addresses and found these IPs to be repeatedly discussed, and the advice for various flavours of PBX was installation of Fail2Ban... which I have duly installed on my elastix box.

    However ,the question is, I'm actually getting physical calls from these IP addies which are ringing my extensions; I'm not actually getting registration or SSH log-in attmpts (well none that I could discren from the logs), will Fail2Ban actually help in this siutation?... or, is there a better way to get rid of these untimely calls?

    Thanks.
    Riz
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Perhaps fail2ban will work, but add

    alwaysauthreject=yes

    somewhere in your sip.conf hierarchy for completeness.

    Althought these guys are a PITA, don't underestimate them, they are NOT stupid, (ask google, they got screwed) I suggest you ban the entire networks at /8 on your firewall, ok, so some folks in china and japan won't be able to register with you but is that a problem? look into csf as a a firewall and it's ability to do bans by ipcountry, most of this crap comes from China closely followed by eastern Europe, go figure :)

    dicko


    (
    yum -y install jwhois

    whois 119.147.116.0

    etc.

    )
     
  3. DaveD

    Joined:
    Nov 12, 2007
    Messages:
    597
    Likes Received:
    0
    +1 for Dicko's above post
    I am still running fail2ban but also installed CSF and configured it to watch the fail2ban logs as well as the asterisk/full logs and CSF will also do dyndns resolve for remote access and allow it through firewall

    The other firewall that works well is apf/bfd but is no longer maintained from its creator
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    As I suggested elsewhere , please only run fail2ban AFTER csf and not before or you might get conflicts/FU's in iptables , see my csf pre and post scripts. (still ugly but still functional.)

    dicko

    (iptables is iptables, it is as powerful as hell, use whatever works for you to configure it, but please use it !!!! )
     

Share This Page