[asterisk-biz] Bad routign or hack attempt ?
Elliot Otchet
elliot.otchet at callingcircles.com
Thu May 14 14:40:06 CDT 2009
While I would agree with other comments that guest access can be a bad idea in general, you can certainly mitigate your risk by being proactive in your dialplan. Doing so helps you get at all of the information requested by others in this thread.
The premise of my comments below are based on the fact that you've already decided to let the public access Asterisk via SIP (or IAX, as the case may be).
Configure your guest context to gracefully handle "unknown" extensions in your dialplan (e.g. _X.) and you can do anything you want to with the information (e.g. log it to a database, block it with iptables, etc.). You could even use NoOp to send this back out with the full sip URI(or Channel Name, CallerID, or etc.) to your console.
Being that you're opening a door on the server to let the public come in, you also might want callers sent to an IVR (or operator) that helps them get to where you want them in your business. You could also place these callers into an AGI to check to see if the sip uri has already made X other invalid attempts in the last Y hours/minutes/seconds. If it has, you could have the AGI add an entry to iptables that blocks that host from accessing Asterisk or your network entirely.
While yes, technically, this no longer truly rejects the call - this is a guest context set up specifically to allow calls from unregistered/unidentified callers. Seems to me you get the best of both worlds and can now manage the outcome.
I'd be happy to spend a few minutes discussing this off-line if anyone has questions.
-Elliot
P.S. We still do need a better story for unsuccessful registration attempts (e.g. password cracking), but that's a different topic for another day.
P.S.S. Here's the basic information obtained by a DumpChannel when one of our systems was being hacked in this manner:
Dumping Info For Channel: SIP/93.190.143.10-b40871c0:
================================================================================
Info:
Name= SIP/93.190.143.10-b40871c0
Type= SIP
UniqueID= rhel52-1242266111.23
CallerID= MeucciSolutions
CallerIDName= MeucciSolutions
DNIDDigits= 901034911871524
RDNIS= (N/A)
State= Ring (4)
Rings= 0
NativeFormat= 0x4 (ulaw)
WriteFormat= 0x4 (ulaw)
ReadFormat= 0x4 (ulaw)
1stFileDescriptor= 35
Framesin= 0
Framesout= 0
TimetoHangup= 0
ElapsedTime= 0h0m0s
Context= ext-did
Extension= 901034911871524
Priority= 1
CallGroup=
PickupGroup=
Application= DumpChan
Data= (Empty)
Blocking_in= (Not Blocking)
Variables:
SIPCALLID=5561404f5e98813548578b336c604b5f at 93.190.143.10
SIPUSERAGENT=MeucciSolutions
SIPDOMAIN=X.X.X.X (replaced to protect the innocent)
SIPURI=sip:MeucciSolutions at 93.190.143.10
-----Original Message-----
From: asterisk-biz-bounces at lists.digium.com [mailto:asterisk-biz-bounces at lists.digium.com] On Behalf Of James A. Shigley
Sent: Thursday, May 14, 2009 2:24 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
Yeah it would be great to have it log a cdr style DB for sip calls with all the usual CDR information along with SIP specific information like IP of the user, codec being used, login, ect ,ect for tracking these type things and also for other reporting I can see doing if I had that data.
James Shigley
Monroe Telephone Answering Service
409-981-9213
Infinity 5.5,UC 4.02.3803, Blink 3.0.104
Ecreator:2.21, eResponse 1.1.7
Webportal,WebApps,
CONFIDENTIALITY NOTICE: This email, including any attachments, contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error, please notify the sender immediately by "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments.
"Common sense is the collection of prejudices acquired by age eighteen." -- Albert Einstein
"Once you can accept the universe as matter expanding into nothing that is something,wearing stripes with plaid comes easy." -- Albert Einstein
"Theory is when you know something, but it doesn't work. Practice is when
something works, but you don't know why. Programmers combine theory and
practice: Nothing works and they don't know why.-Anonymous Developer"
-----Original Message-----
From: asterisk-biz-bounces at lists.digium.com [mailto:asterisk-biz-bounces at lists.digium.com] On Behalf Of Stephane Bakhos
Sent: Thursday, May 14, 2009 12:46 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
It would be a good start to get an IP address for everything a SIP client
does that gets logged.
I have a customer who insists on keeping the guest option turned to on and
from time to time there are funny people who try to dial out phone numbers
(and of course get no where), however the message doesn't log the IP
address so I cannot use it with something like fail2ban.
I would like to have it with the peer name, so I always have peer name +
ip address on all logged messages for SIP or IAX
On Thu, 14 May 2009, Ken Rice wrote:
> Date: Thu, 14 May 2009 10:35:06 -0500
> From: Ken Rice <krice at rmktek.com>
> Reply-To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz at lists.digium.com>
> To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz at lists.digium.com>
> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
> He's also using this IP address
> 173.45.67.130
>
>
>
>
>> From: ContactTel Business <lists at contacttel.com>
>> Reply-To: Commercial and Business-Oriented Asterisk Discussion
>> <asterisk-biz at lists.digium.com>
>> Date: Thu, 14 May 2009 10:15:47 -0400
>> To: 'Commercial and Business-Oriented Asterisk Discussion'
>> <asterisk-biz at lists.digium.com>
>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>
>> Here is the trace.. please DEVs... add a reporting option to sip stack that
>> will report on that ip , or something..
>> This guy has been hacking alot of servers and is currently under FBI
>> investigation
>> You see he's using s=Asterisk PBX 1.6.0.5.
>>
>>
>>
>>
>> U 2009/05/14 06:42:17.973715 93.190.143.10:5060 -> 174.x.x.x:5060
>> INVITE sip:98103619990127 at 174.x.x.xSIP/2.0.
>> Via: SIP/2.0/UDP 93.190.143.10:5060;branch=z9hG4bK3f5cffbb;rport.
>> Max-Forwards: 70.
>> From: "MeucciSolutions" <sip:MeucciSolutions at 93.190.143.10>;tag=as123b6c7b.
>> To: <sip:98103619990127 at 174.x.x.x>.
>> Contact: <sip:MeucciSolutions at 93.190.143.10>.
>> Call-ID: 271aa7a750168cf60a36ad654a713caa at 93.190.143.10.
>> CSeq: 102 INVITE.
>> User-Agent: MeucciSolutions.
>> Date: Thu, 14 May 2009 10:42:25 GMT.
>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY.
>> Supported: replaces, timer.
>> Content-Type: application/sdp.
>> Content-Length: 287.
>> .
>> v=0.
>> o=root 634218215 634218215 IN IP4 93.190.143.10.
>> s=Asterisk PBX 1.6.0.5.
>> c=IN IP4 93.190.143.10.
>> t=0 0.
>> m=audio 10990 RTP/AVP 8 0 101.
>> a=rtpmap:8 PCMA/8000.
>> a=rtpmap:0 PCMU/8000.
>> a=rtpmap:101 telephone-event/8000.
>> a=fmtp:101 0-16.
>> a=silenceSupp:off - - - -.
>> a=ptime:20.
>> a=sendrecv.
>>
>>
>>>> -----Original Message-----
>>>> From: asterisk-biz-bounces at lists.digium.com [mailto:asterisk-biz-
>>>> bounces at lists.digium.com] On Behalf Of Elliot Otchet
>>>> Sent: May-13-09 7:43 PM
>>>> To: 'asterisk-biz at lists.digium.com'
>>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>>
>>>> Agreed. We've seen it too.
>>>>
>>>> Pardon the typos, my Blackberry has small buttons.
>>>> Elliot Otchet
>>>> Calling Circles LLC
>>>>
>>>> ----- Original Message -----
>>>> From: asterisk-biz-bounces at lists.digium.com <asterisk-biz-
>>>> bounces at lists.digium.com>
>>>> To: Commercial and Business-Oriented Asterisk Discussion <asterisk-
>>>> biz at lists.digium.com>
>>>> Sent: Wed May 13 19:27:03 2009
>>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>>
>>>>
>>>> Hack attempt 100%. Ban it.
>>>>
>>>> --- On Wed, 5/13/09, ContactTel Business <lists at contacttel.com> wrote:
>>>>
>>>>> From: ContactTel Business <lists at contacttel.com>
>>>>> Subject: [asterisk-biz] Bad routign or hack attempt ?
>>>>> To: "'Commercial and Business-Oriented Asterisk Discussion'"
>>>> <asterisk-biz at lists.digium.com>
>>>>> Date: Wednesday, May 13, 2009, 7:05 PM
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Seems someone at MeucciSolutions at 93.190.143.10
>>>>> could be trying to break in ..
>>>>>
>>>>>
>>>>>
>>>>> Anyone have heard of any of the 2
>>>>> parts of the uri ?
>>>>>
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -----Inline Attachment Follows-----
>>>>>
>>>>> _______________________________________________
>>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>>
>>>>> asterisk-biz mailing list
>>>>> To UNSUBSCRIBE or update options visit:
>>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>>
>>>> _______________________________________________
>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>
>>>> asterisk-biz mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>>
>>>> This message is intended only for the use of the individual (s) or
>>>> entity to which it is addressed and may contain information that is
>>>> privileged, confidential, and/or proprietary to Calling Circles LLC and
>>>> its affiliates. If the reader of this message is not the intended
>>>> recipient, you are hereby notified that any dissemination,
>>>> distribution, forwarding or copying of this communication is prohibited
>>>> without the express permission of the sender. If you have received this
>>>> communication in error, please notify the sender immediately and delete
>>>> the original message.
>>>> _______________________________________________
>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>
>>>> asterisk-biz mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
This message is intended only for the use of the individual (s) or entity to which it is addressed and may contain information that is privileged, confidential, and/or proprietary to Calling Circles LLC and its affiliates. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, forwarding or copying of this communication is prohibited without the express permission of the sender. If you have received this communication in error, please notify the sender immediately and delete the original message.
More information about the asterisk-biz
mailing list