How many connections should be made per minute on port 5060 by a legitimate client? For example, If I fire up Linphone and connect to my server I would expect that 5060 is used only once to authenticate me, and then I am handed off to another port and my TCP state becomes established. Is this correct? I am writing an iptables rule to block connections from an IP if it exceeds what would be considered a normal number of connections. For example, on all of my Linux systems (including this Gentoo laptop) I limit SSH connections to 3 per minute. This is in the NEW state. It ignores related and established connections since those already passed the login. This works well and is only two lines of code. I intend to do this for Asterisk also, only specifying port 5060 instead of 22.
So what is a reasonable number of connections per minute for any single device/app to Asterisk?
Here is what I intend to do.
iptables -A INPUT -p tcp -m multiport --dports 22,5060 -m state --state NEW -m recent --set iptables -A INPUT -p tcp -m multiport --dports 22,5060 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
This would drop connections from any single IP which tried to connect to SSH or Asterisk more than three times every minute.