LISTSERV mailing list manager LISTSERV 16.0

Help for LINUX-L Archives


LINUX-L Archives

LINUX-L Archives


LINUX-L@LISTS.UFL.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

LINUX-L Home

LINUX-L Home

LINUX-L  2010

LINUX-L 2010

Subject:

Re: SIP Flood attacks from EC2 cloud

From:

Fred Posner <[log in to unmask]>

Reply-To:

Platform Independent Linux List! <[log in to unmask]>

Date:

Tue, 13 Apr 2010 14:34:37 -0400

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (13 lines)

On Apr 13, 2010, at 2:25 PM, Jon Lewis wrote:

> On Tue, 13 Apr 2010, Fred Posner wrote:
> 
>> I didn't want fail2ban as I'm already using blockhosts, which I just love. Since it's a UDP connection without the ability to spawn, I figured if I had to cron something I'd just do it myself. The reason I didn't do the tail was just out of a quickness in writing the script. My log rotate is weekly... so the tail method I didn't think would handle a single probe daily... whereas the quick log read would, taking less than a second on large logs. So it was a "pure laziness" approach of not having to write a counting log or similar.
> 
> I'm not sure there's any reason you couldn't use both blockhosts and fail2ban and just use each for different things.  File::Tail is just a bit of code for perl to keep a [log] file open for reading.  It handles reopening the file for you if the file is rotated.  What your program does with the data gotten via File::Tail is up to it.  Are you really worried about someone trying one auth per day though?  OTOH, can there really be any legitimate SIP access from Amazon EC2?  Why not just use a few iptables rules to block all of EC2's IP space?
> 

Actually there are a few carriers using EC2 as a failover as well as some people just simply running their pbx there. The one a day is for probing attempts... which I have been seeing. I think the long term goal would be to make this a decent tool and help with some of the various voip attacks. In which case it might be instead of tail, using a line counter (starting at where last left off) as well as keeping track of counts within a time period.

---fred
http://qxork.com

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997

ATOM RSS1 RSS2



LISTS.UFL.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager