The anti-SIP attack script has been doing a great job, but I did note a few shortcomings I wanted to fix. For one thing, I was noticing a few “clusters” of networks that justified (to me) blocking larger networks. No one outside the US has any reason to connect to my server, for example. I can block entire /8 networks… but doing so manually was cluttering up the iptables rule sets.
I modified the script to store a little more information in the text file, so i can go through it manually from time to time and make changes. It’s easy to run the file through sort -n and see if it’s time to block a /16 or /8 network.
#!/bin/bash /bin/grep "No matching peer found" /var/log/asterisk/messages|cut -d "'" -f 4 | \ cut -d "." -f 1-3 |sort -n |/usr/bin/uniq >> \ /root/anti-sip-attack.tmp for d in `cat /root/anti-sip-attack.tmp` do if [ `/sbin/iptables -L -n | grep -c $d` = "0" ]; then /sbin/iptables -I INPUT -s $d.0/24 -j DROP echo $d.0/24 >> /root/anti-sip-attack.txt fi done rm /root/anti-sip-attack.tmp