Crowdsec, a better fail2ban + crowdsourcing

Out of the box, it handles SSH, Apache, and a few more.

There is an asterisk add-on that deals with SIP.

I’m testing this out currently and so far, I really like it.

IMO, the world doesn’t need another reactive firewall, even a much better one.
A proactive one that completely hides SIP, provisioning, admin GUI and UCP from all the bots that scan every IPv4 address is much simpler. You just need a few iptables rules that drop packets not containing your ‘secret’ domain name. The attacker never learns that you have a PBX, or even a website.

Unfortunately, I don’t know of a good solution for SSH, since it doesn’t use domain names. I believe that if you put it on a random port and also drop the first SYN packet (scanning the entire IPv4 internet is expensive, so most attackers send only one SYN packet), you reduce the hit rate to less than one per year. Unfortunately, once there is a hit, the attackers will pound on it ruthlessly, trying common username/password combinations. And they are dumb – the SSH protocol tells the client which authentication methods are accepted; you would think that if you only accept public key auth they would stop trying passwords, but that’s not the case. Perhaps fail2ban or similar is the best we can do. However, IMO that’s not a big deal – if accidental incorrect auth causes you to lose SSH access, you can fairly easily regain it via VPN, your cloud provider’s console access, physical access to an on-site system, etc.

I believe that installing haproxy with ‘enforced strict sni’ would satisfy everyone of your wishes. You can then make SSH equally domain aware. No ‘secret domain name’ and the connection is DROPped use as many domain names as you want, one for each ‘service’ and a very simple iptables rule set needed.

(Such a recipe certainly worked for me)=

To be able to examine the payload requires that the packet be unencrypted.

haproxy examines the packets before forwarding any TLS ones that it has verified against installed certs. No iptables needed