[Freeswitch-users] Been hacked - what's the best way to prevent sip scanner?
David Ponzone
david.ponzone at ipeva.fr
Tue Oct 5 14:25:36 PDT 2010
Mario,
personnally, following a DoS REGISTER attack I had recently, I
configured some rate-limiting on REGISTER attempts.
Here is the result, in "iptables-save" format:
-A INPUT -d YOUR_FS_IP -p udp -m udp --dport YOUR_FS_PORT -m string --
string "REGISTER" --algo kmp --from 20 --to 60 -j dos-filter-register-
external
-A dos-filter-register-external -m hashlimit --hashlimit 5/sec --
hashlimit-burst 8 --hashlimit-mode srcip --hashlimit-name REGISTER --
hashlimit-htable-size 24593 --hashlimit-htable-expire 90000 -j RETURN
-A dos-filter-register-external -j REJECT --reject-with icmp-admin-
prohibited
This will ratelimit REGISTER packets coming to YOUR_FS_IP:YOUR_FS_PORT
to 5 per second for each source IP.
PS: thanks to the experienced people on #freeswitch for the help
provided to setup this filter.
David Ponzone Direction Technique
email: david.ponzone at ipeva.fr
tel: 01 74 03 18 97
gsm: 06 66 98 76 34
Service Client IPeva
tel: 0811 46 26 26
www.ipeva.fr - www.ipeva-studio.com
Ce message et toutes les pièces jointes sont confidentiels et établis
à l'intention exclusive de ses destinataires. Toute utilisation ou
diffusion non autorisée est interdite. Tout message électronique est
susceptible d'altération. IPeva décline toute responsabilité au
titre de ce message s'il a été altéré, déformé ou falsifié. Si
vous n'êtes pas destinataire de ce message, merci de le détruire
immédiatement et d'avertir l'expéditeur.
Le 05/10/2010 à 20:55, Mario a écrit :
> After working 4 hours I found that FS was hosed due to someone from
> 208.109.87.234 sending tons of traffic to FS. I blocked the IP
> address.
> Not only did it overload the connection but stopped FS from working,
> meaning no phones. This had not happened with the SPA9000. I listed on
> on a FS conference call discussing this issue. Is there someplace that
> has a list of things to do to prevent/reduce this? I did have ports,
> etc. blocked in the firewall. Thanks. Mario
>
> _______________________________________________
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20101005/038d424b/attachment.html
More information about the FreeSWITCH-users
mailing list