Home Forum Developers General discussions PBX security

JRPassphrase Registration Control

In order to register on this site, you must first submit the passphrase below.

TODO list for each hardware target can be found as sticky topic in the corresponding forum


Gilles
useravatar
User Info

Re: PBX security

I removed the directory, d'loaded revision 503, modified iptable.config per the settings you provided above, then ran "make menuconfig > Custom kernel settings" + "make"... and it does goes ahead with no prompt. I guess running "make clean" isn't enough. Thank you.


Administrator has disabled public posting
fsinetworks
useravatar
User Info

Re: PBX security

Hello,

I wrote a script sh ( banip.sh ) so as to block sip attack wich use iptables command and the log of asterisk.

http://blackfin.uclinux.org/gf/project/ … rum_id=120

Advice for improvement this script are welcome.

Best Regards,
Fabien


Administrator has disabled public posting
Gilles
useravatar
User Info

Re: PBX security

Instead of checking the log files and reconfigure iptables on the fly, provided the kernel is not too old, Netfilter/iptables itself supports banning hosts that are making too many connections.

I've seen those mentionned on the Net:
====================
iptables -A INPUT -p udp --dport 5060 -m state --state NEW -m recent --set --name SIP

iptables -A INPUT -p udp --dport 5060 -m state --state NEW -m recent --rcheck --name SIP --seconds  600 --hitcount  20 --rttl -j DROP

iptables -A INPUT -p udp --dport 5060 -j ACCEPT
====================
iptables -A INPUT -p tcp --dport 5060 -m state --state NEW -m sshbrute --set
iptables -A INPUT -p tcp --dport 5060 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DROP
====================


Administrator has disabled public posting
fsinetworks
useravatar
User Info

Re: PBX security

Hello Gilles,

I know but it's not possible to use the parameter state with baps.
iptables v1.3.6: Couldn't find match `state'

Best regards,
fabien


Administrator has disabled public posting
Gilles
useravatar
User Info

Re: PBX security

Yes, it's because BAPS uses the 2007 release of uClinux. Switchfin, however, uses the 2009 release and supports the "state" module, along with "length", "recent", "string", etc.


Administrator has disabled public posting

Board Info

Board Stats:   Total Users: 2585  Total Topics: 299  Total Polls: 1  Total Posts: 1727  Dormant
User Info:   Newest User :  dursber   Members Online: 0   Guests Online: 240
Online  There are no members online
Topic
New
Locked
Topic
New
Locked
Sticky
Active
New/Active
Sticky
Active
New/Active
New/Closed
New Sticky
Closed/Active
New/Locked
New Sticky
Locked/Active
Active/Sticky
Sticky/Locked
Sticky Active Locked
Active/Sticky
Sticky/Locked
Sticky/Active/Locked