These rules look to be excellent to stop attacks but I’m not a buff on IPTables. From what I understand, this is what’s happening:
Rule 1) Anything not from 192.168.3.0/24 network on UDP port 5060 is flagged for Asterisk.
Rule 2) Anything coming in on rule 1 which has more than 10 hits in 15 seconds is silently (i.e. no error reported back) dropped.
Am I correct? If so, I will happily implement that since it’s more-or-less ideal for what I want! I am the only client on the server and I deliberately set hard-to-guess passwords so any failures will be from unauthorised attacks.
Yes, that’s the idea and it works well. Nearly every day I see attacks start on my CLI, but the rules quickly stop them. These same rules work well on TCP port 22 for SSH attacks, but I prefer to run SSH on an obscure port.
Thanks for that. I’ll implement it in a minute. I have to be careful with SSH though since my Asterisk system is on a hosted server and I can’t afford to lose SSH!
If it helps you, I use Denyhosts scripts to block attacks and my logins are passwordless and usernameless (the username you attempt to connect with is the one you use). If you don’t have the correct key, you don’t have access, simple! After about 10 failed logins, the IP address is banned permanently through /etc/hosts.deny (I deliberately ban forever because with one failed login with, for example, SSHing from the wrong account, then you know your mistake but at other times, there’s no issue since it’s a TCP connection).
I’ll add these filters now and report back on how they work for me.
Incidentally, though, I presume that after a while it will release the IP address that attempted the attack. Is there any way to keep that permanently? Most attacks seem to come from Russia, India or China and I have no need to access the network from over there (and if I did, I could SSH in natively and release the banned IP).