Jump to content

Blacklist IP addresses permanently


Tom Waterman
 Share

Recommended Posts

Hello all, our PBX has blacklisted about 600 IP addresses in the last 4 days. My current settings are for every 5 attempts in a 2 second span blacklist for 7 days. My question is how can I blacklist them permanently without having to type them in manually? And is anyone else seeing an increase in failed registration attempts?

 

Thank you,

Tom

Link to comment
Share on other sites

Yes, this is a known attack.

 

Some of my notes:

http://forum.pbxnsip.com/index.php?showtop...amp;#entry17308

 

We have a site we manage this is experiencing it as well. There are other reports in the wild.

I would be glad to compare notes. One thing I am curious is if our blocked IP list matches yours? I would be glad to swap the entire list we have.

 

We have been living in the "Access" page in the last days and have noticed some things I will post as a suggestion.

Link to comment
Share on other sites

Hello all, our PBX has blacklisted about 600 IP addresses in the last 4 days. My current settings are for every 5 attempts in a 2 second span blacklist for 7 days. My question is how can I blacklist them permanently without having to type them in manually? And is anyone else seeing an increase in failed registration attempts?

 

Whow! IMHO you dont have to blacklist too long as the total impact to the system performance is really getting very low if you blacklist for something like 7 days.

 

Anyway. The dropdown just contains some useful (as we thought) proposals, you can edit the page in the admin/email/texts section and add another option for example for 365 days or longer.

Link to comment
Share on other sites

Whow! IMHO you dont have to blacklist too long as the total impact to the system performance is really getting very low if you blacklist for something like 7 days.

 

Anyway. The dropdown just contains some useful (as we thought) proposals, you can edit the page in the admin/email/texts section and add another option for example for 365 days or longer.

 

 

Are you saying that if I have a long blacklist it will hurt system performance? If so could I just blacklist the entire outside and allow on the handfull of internet addresses I need to register? But how would that affect my voip trunk provider? Would I have to add them in as well?

 

Thank you!!!

Tom

Link to comment
Share on other sites

Are you saying that if I have a long blacklist it will hurt system performance? If so could I just blacklist the entire outside and allow on the handfull of internet addresses I need to register? But how would that affect my voip trunk provider? Would I have to add them in as well?

 

No, no. The blacklisting uses some nice efficient data structures internally. The performance impact of even long lists should be okay.

 

You can also blacklist everything by default (0.0.0.0/0) and only whitelist certain IP addresses or subnets. If you know the IP addresses of your users/customers than that is a real option where you dont have to worry about people scanning your PBX.

 

In this case you also need to whitelist your trunk provider. The black/whitelisting does not support DNS, you you need to look the IP addresses where the service provider might come from.

Link to comment
Share on other sites

No, no. The blacklisting uses some nice efficient data structures internally. The performance impact of even long lists should be okay.

 

You can also blacklist everything by default (0.0.0.0/0) and only whitelist certain IP addresses or subnets. If you know the IP addresses of your users/customers than that is a real option where you dont have to worry about people scanning your PBX.

 

In this case you also need to whitelist your trunk provider. The black/whitelisting does not support DNS, you you need to look the IP addresses where the service provider might come from.

 

Ok are SP is callcentric. Do you happen to know those? Thanks guys!

 

Tom

Link to comment
Share on other sites

Ok are SP is callcentric. Do you happen to know those? Thanks guys!

 

$ host -t SRV _sip._udp.callcentric.com
_sip._udp.callcentric.com has SRV record 20 0 5080 alpha6.callcentric.com.
_sip._udp.callcentric.com has SRV record 20 0 5080 alpha7.callcentric.com.
_sip._udp.callcentric.com has SRV record 20 0 5080 alpha8.callcentric.com.
_sip._udp.callcentric.com has SRV record 20 0 5080 alpha9.callcentric.com.
_sip._udp.callcentric.com has SRV record 20 0 5080 alpha1.callcentric.com.
_sip._udp.callcentric.com has SRV record 20 0 5080 alpha2.callcentric.com.
_sip._udp.callcentric.com has SRV record 20 0 5080 alpha3.callcentric.com.
_sip._udp.callcentric.com has SRV record 20 0 5080 alpha4.callcentric.com.
_sip._udp.callcentric.com has SRV record 20 0 5080 alpha5.callcentric.com.
$ for i in 1 2 3 4 5 6 7 8 9; do host alpha$i.callcentric.com; done
alpha1.callcentric.com has address 204.11.192.22
alpha2.callcentric.com has address 204.11.192.23
alpha3.callcentric.com has address 204.11.192.31
alpha4.callcentric.com has address 204.11.192.34
alpha5.callcentric.com has address 204.11.192.35
alpha6.callcentric.com has address 204.11.192.36
alpha7.callcentric.com has address 204.11.192.37
alpha8.callcentric.com has address 204.11.192.38
alpha9.callcentric.com has address 204.11.192.39

 

I would use 204.11.192/24 to play safe.

Link to comment
Share on other sites

Whow! IMHO you dont have to blacklist too long as the total impact to the system performance is really getting very low if you blacklist for something like 7 days.

 

Anyway. The dropdown just contains some useful (as we thought) proposals, you can edit the page in the admin/email/texts section and add another option for example for 365 days or longer.

 

Whewre do you endit the length of time? I looked in the above mentioned section and I don't see where I can edit that. Should it not just be one of the xml pages in the PBX directory that I edit?

 

Tom

Link to comment
Share on other sites

Whewre do you endit the length of time? I looked in the above mentioned section and I don't see where I can edit that. Should it not just be one of the xml pages in the PBX directory that I edit?

 

No better dont edit the XML, the PBX may override it any time. It is easier to change the web interface options. Go as admin to the reg_texts.htm page (admin/email/texts) and then edit the reg_access.htm page like this (add the bold line):

 

<select name="blacklist_expires" id="blacklist_expires" class="cCombo">

<option value="60" selected="{ssi rsel blacklist_expires 60}">1 min</option>

...

<option value="604800" selected="{ssi rsel blacklist_expires 604800}">7 d</option>

<option value="31536000" selected="{ssi rsel blacklist_expires 31536000}">365 d</option>

</select>

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...