Although we’ve set up fail2ban to block brute force attacks that occur over SIP, based on IP address of the connection, I’m wondering if there is a way to block based on phone numbers / DIDs potentially trying to guess passwords of our conference bridge. All calls from the publicly switched telephone network (PSTN) are routed through our trunking provider’s servers, and we cannot simply ban their IP addresses, otherwise we’d get no calls.
Does Asterisk provide a way, or is there some example code for blocking repeated attempts to guess passwords over the PSTN? Are the phone numbers involved with these kinds of attacks typically filtered out as abuse by trunking providers?
Thanks for the links. Those look like they are designed to blacklist IP addresses, which won’t work for the kind of attack that I described. If someone calling from (555) 555-1234 dials our SIP server over the public telephone network, they can try to brute force conference bridge passwords, but we can’t block them via IP address, because their traffic is mixed up with the good traffic that comes from our trunking provider / SIP provider that connects us to the public telephone network. We already block IP addresses based on this kind of bad behavior when they connect to our server directly via SIP.
Now that I think of it, fail2ban could serve as part of a solution here, because it’s good at parsing logs and taking arbitrary actions based on its findings. So it could compile a local database (perhaps just a text file) of phone numbers people are using when they mis-enter a password several times. Asterisk would just need to run an arbitrary script from the extensions config file to check if a phone number is in that blacklist. If it is, Asterisk could just block it. Is there a way to do that with Asterisk?
You could do this in dialplan. You could have some code setup so that if a user enters the wrong passcode X number of times; their DID gets added to a database. You would then need to have your IVR check the database for numbers every time someone calls. I did something similar when I was trying to hybrid my landline with my PBX and wanted to make sure I had matching name information for caller ID.
Or at the very least have 3 bad attempts just hangup. After a while they might get fustrated enough to stop trying.