I’m not permitted to use fail2ban. and would rather do this in iptables. I’m just wondering about the difference in treatment of different user agants.
LOL. When fail2ban is great for this job It is reading non-stop asterisk’s logs and if it see more than X failed attempts of login or unathorized calls it set iptables rule.
when you use f2b, as the first messages are answer, the remote scanner knows there is an ipbx, and some start bruteforcing your server, causing your ressources to be consumed. iptables blocks the scan at the earliest, and does not hint the remote scanner that you are running an ipbx.
from my experience, 3 agents are commonly used, and these rules will stop them:
-A INPUT -p udp -m string --string "friendly-scanner" --algo bm --to 600 -m udp --dport 5060 -j DROP
-A INPUT -p udp -m string --string "sipcli/v" --algo bm --to 600 -m udp --dport 5060 -j DROP
-A INPUT -p udp -m string --string "sipvicious" --algo bm --to 600 -m udp --dport 5060 -j DROP
of course, you also need f2b, and monitor when someone is banned, which user agent is used, and add it to iptables
The distinction you are making are between static rules and self adapting rules. They dynamic rules will still work if the attacker changes the user agent to get round the static rules.
The second agent is just rejected so that a “friendly scanner”, in this case, would be allowed the get a reply of some sort. The VaxSIPUserAgent gets dropped because in the example, the admin does not want ANY response sent at all when dealing with that user agent.
I have to concur with everyone, Fail2Ban (which is a log parser that then applies dynamic IPTables rules against hosts). Used along with iptables-persistent or your own method of regularly saving IPTables rules and then loading them at startup, Fail2ban’s dynamic method to creating firewall rules on the fly is superior. This is especially since you can change the settings as needed, to catch newly discovered methods of attacking an Asterisk (or other service) system. Additionally, the notifications can be useful. I often discover the same IP or IP blocks trying to gain access to a system over and over and over, so I contact the abuse email from the WHOIS report. If I don’t get satisfaction (i.e. the attacks stop), I create a rule to drop all packets from the offending IP.
You can also get into using iptables with geographic ip checking, and block particular countries. This comes in handy.