Using Iptables 'recent' Module Against Bruteforce Attacks
Alternative title: Being SIP-‘register’ flooded from several locations
Just recently I had to switch off my Asterisk PBX on this server due to distributed SIP Register Floods (or rather Bruteforce Login Attempts). Several thousands of “register” SIP packets were coming in in a few seconds, which, of course, my asterisk tried to cope with. But that was just too much for my server, load went through the ceiling and I had to switch asterisk off.
This weekend I took another attempt at making my server resistent against such attacks. It took some reading, some searching, but finally I came up with a solution pretty similar to the one stopping SSH bruteforce attempts. Below is what iptables-save
now comes up with, the relevant part only of course. Logging is limited to a few occurances per minute, but this could need some more tweaking.
# Generated by iptables-save v1.4.2 on Sat Dec 11 15:07:02 2010
*filter
:INPUT ACCEPT [2917:434824]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2645:891090]
:sip-flood - [0:0]
:ssh-flood - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ssh-flood
-A INPUT -i eth0 -p udp -m udp --dport 5060 -j sip-flood
-A INPUT -i eth0 -p tcp -m tcp --dport 5060:5061 -m state --state NEW -j sip-flood
-A sip-flood -m recent --set --name sip_throttle --rsource
-A sip-flood -m recent --rcheck --seconds 60 --hitcount 20 --name sip_throttle --rsource -m limit --limit 1/min -j LOG --log-prefix "SIP bruteforce attempt: "
-A sip-flood -m recent --rcheck --seconds 60 --hitcount 20 --name sip_throttle --rsource -j REJECT --reject-with icmp-port-unreachable
-A ssh-flood -m recent --set --name ssh_throttle --rsource
-A ssh-flood -m recent --rcheck --seconds 60 --hitcount 3 --name ssh_throttle --rsource -m limit --limit 1/min -j LOG --log-prefix "SSH bruteforce attempt: "
-A ssh-flood -m recent --rcheck --seconds 60 --hitcount 3 --name ssh_throttle --rsource -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sat Dec 11 15:07:02 2010