[Freeswitch-users] Been hacked - what's the best way to prevent sip scanner?

Mario mario_fs at mgtech.com
Tue Oct 5 17:46:11 PDT 2010


Thanks to all, I will look into and use some or all options presented
here. Amazing, this happened so fast, I didn't even have the machine in
full use, just in testing on/off since 9/20 and I'm only a SOHO. Still
have 2 things to figure out before the switch. Thanks again!

On 10/05/2010 03:09 PM, Kristian Kielhofner wrote:
> It may have started here:
> 
> http://blog.krisk.org/2008/07/sip-dosddos-mitigation.html
> 
> If other people have made improvements I'd love to hear about them and
> maintain the script somewhere :).
> 
> On Tue, Oct 5, 2010 at 5:25 PM, David Ponzone <david.ponzone at ipeva.fr> wrote:
>> Mario,
>> personnally, following a DoS REGISTER attack I had recently, I configured
>> some rate-limiting on REGISTER attempts.
>> Here is the result, in "iptables-save" format:
>> -A INPUT -d YOUR_FS_IP -p udp -m udp --dport YOUR_FS_PORT -m string --string
>> "REGISTER" --algo kmp --from 20 --to 60 -j dos-filter-register-external
>> -A dos-filter-register-external -m hashlimit --hashlimit 5/sec
>> --hashlimit-burst 8 --hashlimit-mode srcip --hashlimit-name REGISTER
>> --hashlimit-htable-size 24593 --hashlimit-htable-expire 90000 -j RETURN
>> -A dos-filter-register-external -j REJECT --reject-with
>> icmp-admin-prohibited
>> This will ratelimit REGISTER packets coming to YOUR_FS_IP:YOUR_FS_PORT to 5
>> per second for each source IP.
>> PS: thanks to the experienced people on #freeswitch for the help provided to
>> setup this filter.
>> David Ponzone  Direction Technique
>> email: david.ponzone at ipeva.fr
>> tel:      01 74 03 18 97
>> gsm:   06 66 98 76 34
>> Service Client IPeva
>> tel:      0811 46 26 26
>> www.ipeva.fr  -   www.ipeva-studio.com
>> Ce message et toutes les pièces jointes sont confidentiels et établis à
>> l'intention exclusive de ses destinataires. Toute utilisation ou diffusion
>> non autorisée est interdite. Tout message électronique est susceptible
>> d'altération. IPeva décline toute responsabilité au titre de ce message s'il
>> a été altéré, déformé ou falsifié. Si vous n'êtes pas destinataire de ce
>> message, merci de le détruire immédiatement et d'avertir l'expéditeur.
>>
>>
> 

-- 
*Mario*



More information about the FreeSWITCH-users mailing list