I am trying to run an asterisk server and i keep getting people trying to authenticate to it from Germany, so since I don't know anyone outside of the US I was thinking that an ACL that allows only people in the US though would be quite nice. Anyone know of such an ACL? or where to get that info?
They usually deal with bogons but my first thought would be Team Cymru.
Although I'm not a fan of geolocation as a means to block baddies, it has its uses, particularly for small firms that serve a limited area. Keep in mind that this is probably something you want to run on a bulk traffic router, not a firewall. Have the bulk router drop packets that you know you don't want so that the firewall can deal with the question marks.
https://www.countryipblocks.net/country_selection.php
I'd do an "allow" on the US ranges rather than a "deny" on non-US ranges. Shorter ACL that way. Still, it's a beast...
I think the better way would be to route unwanted return traffic to Null0, makes the ACL check less CPU intensive.
Thank you for the link!!
I love the idea of the null route idea!
Wow, the US is ~55k lines, gonna need some clean up I think, not sure it's worth it
Quote from: dlots on November 24, 2015, 12:36:42 PM
Wow, the US is ~55k lines, gonna need some clean up I think, not sure it's worth it
That null route is lookin' really good now, huh?
:tmyk:
This looks to be a bit automated if taking the tedious path.
https://www.countryipblocks.net/country_selection.php
Haha I didn't pay enough attention to the earlier link. Ooops.
Germany ACL :rofl: :barf:
Yeah, so far my main issue has been with
85.25.248.68
These are in the US, so I should be able to do a deny 85.0.0.0/10 and stop some of it and not effect myself at all.
85.115.40.0 0.0.7.255
85.158.48.0 0.0.1.255
85.238.144.0 0.0.3.255
Quote from: dlots on November 24, 2015, 03:10:39 PM
Yeah, so far my main issue has been with
85.25.248.68
These are in the US, so I should be able to do a deny 85.0.0.0/10 and stop some of it and not effect myself at all.
85.115.40.0 0.0.7.255
85.158.48.0 0.0.1.255
85.238.144.0 0.0.3.255
why not just block that offender individually.
I assume he probably doesn't have a static IP address so it will change eventually, so I need to block anything his ISP might give him.
Could always re-invent the IPS and block based on the traffic type/signature. Every now and again, blocking by IP is going to bite you in the backside.
"Say, how come I can get email from this client on my Gmail, but not on the company system?"
The issue is that he's trying to register a phone with my Asterisk box, which I need to be able to do or having it's pointless, I just want me to be able to do it though, and not people in Germany. This is a box sitting on the cloud so I can't really stick it behind an IPS/Firewall. I only have the Linux Firewall.
Sounds like you get to play IP address whack-a-mole, then. :problem?:
Yeah, that's why I am thinking of going for the huge IP range
You might want to take a look at fail2ban. Bassically it scans log files for failed attempts, and can preform an action (like block IP) based on those failed attempts. I don't know if it will work with asterisk with a normal install, but it could probably be made to work.
Link - http://www.fail2ban.org/wiki/index.php/Main_Page
-Otanx
Nifty
thank you
Fail2ban is one of the first things I install on any internet facing server. It works well as long as it supports the logfile in question otherwise enjoy learning regex
Quote from: routerdork on November 24, 2015, 02:15:42 PM
This looks to be a bit automated if taking the tedious path.
https://www.countryipblocks.net/country_selection.php
Haha I didn't pay enough attention to the earlier link. Ooops.
I downloaded the Belgium ACL. It was very large for that small patch of land I call my country, so I did a quick check on ripe.net . Turns out most of the first 10 prefixes aren't Belgian: some are from France, others the Netherlands, one from Akamai. Doesn't seem a very trustworthy site.
Well, there you go... another reason to not block by IP address.