mitul at enterux.in Guest
|
Posted: Fri Apr 11, 2014 1:44 pm Post subject: [asterisk-users] SIP fraud IP blacklist |
|
|
Looks nice, might start using it Stefan
Thanks.
Mitul
On Friday, April 11, 2014, Stefan Gofferje <lists@home.gofferje.net (lists@home.gofferje.net)> wrote:
Quote: | Hi,
in case, anyone is interested...
I have started compiling a blacklist of hosts and networks from which
SIP fraud attempts occur.
My criteria currently are:
To block an IP:
- Minimum 3 attacks within one week from the same IP
To block a network:
- Attacks from minimum 3 IPs from that network within 2 weeks
Common criteria:
- Provider does not react to complaints OR
- Provider sends autoreply but attacks don't stop within a week
Definition of attack:
- Minimum 5 attempts to make an unauthorized phone call to a
non-PBX-internal number OR
- Minimum 10 attempts to make an unauthorized phone call to a
PBX-internal number OR
- Minimum 10 failed authentication attempts
If this happens, the IP gets auto-banned (iptables) for 24 hours and
goes to my watch list. The watch list is the base for my further decisions.
Currently, I don't remove IPs or networks from the list. If I have time
and/or motivation I might create some kind of removal process later -
also, depending on how big the list gets and how many people use it.
The list is yet pretty short but for me, it has reduced the noise on my
PBX from 20-30 attacks per day to about 2 or 3 per week, especially
after most of the Palestinian networks ended up on the list.
You're free to use the list - own your own responsibility and risk. It's
in the ipdeny.com format, so a simple script can be used to CURL the
list and create iptables rules from it. A sample script for something
like that is also on my website (check the Linux section).
That's the website for the list:
http://stefan.gofferje.net/it-stuff/sipfraud/sip-attacker-blacklist
And that's the download URL:
http://stefan.gofferje.net/sipblocklist.zone
Note that the list is updated every 6h so polling it more often doesn't
help anything. Please limit polling to once a day or so.
-S
--
(o_ Stefan Gofferje | SCLT, MCP, CCSA
//\ Reg'd Linux User #247167 | VCP #2263
V_/_ Heckler & Koch - the original point and click interface
|
--
Regards,
Mitul Limbani,
Chief Architech & Founder,
Enterux Solutions Pvt. Ltd.
110 Reena Complex, Opp. Nathani Steel,
Vidyavihar (W), Mumbai - 400 086. India
http://www.enterux.com/
http://www.entvoice.com/
email: mitul@enterux.in (mitul@enterux.in)
DID: +91-22-71967196
Cell: +91-9820332422 |
|