[asterisk-biz] Bad routign or hack attempt ?

Elliot Otchet elliot.otchet at callingcircles.com
Fri May 15 10:14:53 CDT 2009


Stephane,

I realize sometimes things can get lost in language translation and interpretation so to be clear and make sure your customers are protected I wanted you (and anyone else still having issues with this) to understand that what you are trying to accomplish can be done today, without AGI.  AGI can help those who want to do more with the call, but it isn't necessary.

Functions and variables within the dialplanu can get all of the information you need and deal with it (e.g. log it to a file for fail2ban to process).  Below is an example of how you might obtain and log the issue (without going to an AGI):

exten => _X.,1,Set(BADPEER=${SIPCHANINFO(peerip)})
exten => _X.,2,system(/bin/echo "${STRFTIME(${EPOCH},,%Y%m%d-%H%M%S)} - ${CALLERID(name)} - ${EXTEN} - ${BADPEER}" >> /var/log/asterisk/badguestpeers)
exten => _X.,3,Hangup

Now you can take fail2ban, a simple failregex, and point it at your new log file.  You do have the IP address of the offending peer, you probably just didn't realize how to get it logged in a format that you needed.  No modification to Asterisk needed.

Regards,
Elliot Otchet
Calling Circles LLC

-----Original Message-----
From: asterisk-biz-bounces at lists.digium.com [mailto:asterisk-biz-bounces at lists.digium.com] On Behalf Of Stephane Bakhos
Sent: Friday, May 15, 2009 4:38 AM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] Bad routign or hack attempt ?

Of course the guests access don't have free run on the extension and they
are limited.

However running an AGI script just to handle them seems not to be very
efficient, since some of these bots/people tend to do a lot of connections
in a small burst and running a bunch of AGI just to handle them is going
to be really wasteful in terms of resource consumptions.

With fail2ban, I could have it monitor the output of the logs from
asterisk, possibly even on a gateway firewall, and then take appropriate
actions after x denies. However that isn't possible if I don't have the
IP address of the ill manered "guest".

On Thu, 14 May 2009, Elliot Otchet wrote:

> Date: Thu, 14 May 2009 15:40:06 -0400
> From: Elliot Otchet <elliot.otchet at callingcircles.com>
> Reply-To: Commercial and Business-Oriented Asterisk Discussion
>     <asterisk-biz at lists.digium.com>
> To: Commercial and Business-Oriented Asterisk Discussion
>     <asterisk-biz at lists.digium.com>
> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
> While I would agree with other comments that guest access can be a bad
> idea in general, you can certainly mitigate your risk by being proactive
> in your dialplan.  Doing so helps you get at all of the information
> requested by others in this thread.
>
> The premise of my comments below are based on the fact that you've
> already decided to let the public access Asterisk via SIP (or IAX, as
> the case may be).
>
> Configure your guest context to gracefully handle "unknown" extensions
> in your dialplan (e.g. _X.) and you can do anything you want to with the
> information (e.g. log it to a database, block it with iptables, etc.).
> You could even use NoOp to send this back out with the full sip URI(or
> Channel Name, CallerID, or etc.) to your console.
>
> Being that you're opening a door on the server to let the public come
> in, you also might want callers sent to an IVR (or operator) that helps
> them get to where you want them in your business.  You could also place
> these callers into an AGI to check to see if the sip uri has already
> made X other invalid attempts in the last Y hours/minutes/seconds.  If
> it has, you could have the AGI add an entry to iptables that blocks that
> host from accessing Asterisk or your network entirely.
>
> While yes, technically, this no longer truly rejects the call - this is
> a guest context set up specifically to allow calls from
> unregistered/unidentified callers.  Seems to me you get the best of both
> worlds and can now manage the outcome.
>
> I'd be happy to spend a few minutes discussing this off-line if anyone
> has questions.
>
> -Elliot
>
> P.S. We still do need a better story for unsuccessful registration
> attempts (e.g. password cracking), but that's a different topic for
> another day. P.S.S. Here's the basic information obtained by a
> DumpChannel when one of our systems was being hacked in this manner:
>
> Dumping Info For Channel: SIP/93.190.143.10-b40871c0:
> ================================================================================
> Info:
> Name=               SIP/93.190.143.10-b40871c0
> Type=               SIP
> UniqueID=           rhel52-1242266111.23
> CallerID=           MeucciSolutions
> CallerIDName=       MeucciSolutions
> DNIDDigits=         901034911871524
> RDNIS=              (N/A)
> State=              Ring (4)
> Rings=              0
> NativeFormat=       0x4 (ulaw)
> WriteFormat=        0x4 (ulaw)
> ReadFormat=         0x4 (ulaw)
> 1stFileDescriptor=  35
> Framesin=           0
> Framesout=          0
> TimetoHangup=       0
> ElapsedTime=        0h0m0s
> Context=            ext-did
> Extension=          901034911871524
> Priority=           1
> CallGroup=
> PickupGroup=
> Application=        DumpChan
> Data=               (Empty)
> Blocking_in=        (Not Blocking)
>
> Variables:
> SIPCALLID=5561404f5e98813548578b336c604b5f at 93.190.143.10
> SIPUSERAGENT=MeucciSolutions
> SIPDOMAIN=X.X.X.X (replaced to protect the innocent)
> SIPURI=sip:MeucciSolutions at 93.190.143.10
>
> -----Original Message-----
> From: asterisk-biz-bounces at lists.digium.com [mailto:asterisk-biz-bounces at lists.digium.com] On Behalf Of James A. Shigley
> Sent: Thursday, May 14, 2009 2:24 PM
> To: Commercial and Business-Oriented Asterisk Discussion
> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
> Yeah it would be great to have it log a cdr style DB for sip calls with all the usual CDR information along with SIP specific information like IP of the user, codec being used, login, ect ,ect for tracking these type things and also for other reporting I can see doing if I had that data.
>
>
> James Shigley
> Monroe Telephone Answering Service
> 409-981-9213
> Infinity 5.5,UC 4.02.3803, Blink 3.0.104
> Ecreator:2.21, eResponse 1.1.7
> Webportal,WebApps,
>
> CONFIDENTIALITY NOTICE: This email, including any attachments, contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error, please notify the sender immediately by "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments.
>
> "Common sense is the collection of prejudices acquired by age eighteen." -- Albert Einstein
> "Once you can accept the universe as matter expanding into nothing that is something,wearing stripes with plaid comes easy." -- Albert Einstein
> "Theory is when you know something, but it doesn't work. Practice is when
> something works, but you don't know why. Programmers combine theory and
> practice: Nothing works and they don't know why.-Anonymous Developer"
>
>
> -----Original Message-----
> From: asterisk-biz-bounces at lists.digium.com [mailto:asterisk-biz-bounces at lists.digium.com] On Behalf Of Stephane Bakhos
> Sent: Thursday, May 14, 2009 12:46 PM
> To: Commercial and Business-Oriented Asterisk Discussion
> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>
> It would be a good start to get an IP address for everything a SIP client
> does that gets logged.
>
> I have a customer who insists on keeping the guest option turned to on and
> from time to time there are funny people who try to dial out phone numbers
> (and of course get no where), however the message doesn't log the IP
> address so I cannot use it with something like fail2ban.
>
> I would like to have it with the peer name, so I always have peer name +
> ip address on all logged messages for SIP or IAX
>
> On Thu, 14 May 2009, Ken Rice wrote:
>
>> Date: Thu, 14 May 2009 10:35:06 -0500
>> From: Ken Rice <krice at rmktek.com>
>> Reply-To: Commercial and Business-Oriented Asterisk Discussion
>>     <asterisk-biz at lists.digium.com>
>> To: Commercial and Business-Oriented Asterisk Discussion
>>     <asterisk-biz at lists.digium.com>
>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>
>> He's also using this IP address
>> 173.45.67.130
>>
>>
>>
>>
>>> From: ContactTel Business <lists at contacttel.com>
>>> Reply-To: Commercial and Business-Oriented Asterisk Discussion
>>> <asterisk-biz at lists.digium.com>
>>> Date: Thu, 14 May 2009 10:15:47 -0400
>>> To: 'Commercial and Business-Oriented Asterisk Discussion'
>>> <asterisk-biz at lists.digium.com>
>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>
>>> Here is the trace.. please DEVs... add a reporting option to sip stack that
>>> will report on that ip , or something..
>>> This guy has been hacking alot of servers and is currently under FBI
>>> investigation
>>> You see he's using s=Asterisk PBX 1.6.0.5.
>>>
>>>
>>>
>>>
>>> U 2009/05/14 06:42:17.973715 93.190.143.10:5060 -> 174.x.x.x:5060
>>> INVITE sip:98103619990127 at 174.x.x.xSIP/2.0.
>>> Via: SIP/2.0/UDP 93.190.143.10:5060;branch=z9hG4bK3f5cffbb;rport.
>>> Max-Forwards: 70.
>>> From: "MeucciSolutions" <sip:MeucciSolutions at 93.190.143.10>;tag=as123b6c7b.
>>> To: <sip:98103619990127 at 174.x.x.x>.
>>> Contact: <sip:MeucciSolutions at 93.190.143.10>.
>>> Call-ID: 271aa7a750168cf60a36ad654a713caa at 93.190.143.10.
>>> CSeq: 102 INVITE.
>>> User-Agent: MeucciSolutions.
>>> Date: Thu, 14 May 2009 10:42:25 GMT.
>>> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY.
>>> Supported: replaces, timer.
>>> Content-Type: application/sdp.
>>> Content-Length: 287.
>>> .
>>> v=0.
>>> o=root 634218215 634218215 IN IP4 93.190.143.10.
>>> s=Asterisk PBX 1.6.0.5.
>>> c=IN IP4 93.190.143.10.
>>> t=0 0.
>>> m=audio 10990 RTP/AVP 8 0 101.
>>> a=rtpmap:8 PCMA/8000.
>>> a=rtpmap:0 PCMU/8000.
>>> a=rtpmap:101 telephone-event/8000.
>>> a=fmtp:101 0-16.
>>> a=silenceSupp:off - - - -.
>>> a=ptime:20.
>>> a=sendrecv.
>>>
>>>
>>>>> -----Original Message-----
>>>>> From: asterisk-biz-bounces at lists.digium.com [mailto:asterisk-biz-
>>>>> bounces at lists.digium.com] On Behalf Of Elliot Otchet
>>>>> Sent: May-13-09 7:43 PM
>>>>> To: 'asterisk-biz at lists.digium.com'
>>>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>>>
>>>>> Agreed.  We've seen it too.
>>>>>
>>>>> Pardon the typos, my Blackberry has small buttons.
>>>>> Elliot Otchet
>>>>> Calling Circles LLC
>>>>>
>>>>> ----- Original Message -----
>>>>> From: asterisk-biz-bounces at lists.digium.com <asterisk-biz-
>>>>> bounces at lists.digium.com>
>>>>> To: Commercial and Business-Oriented Asterisk Discussion <asterisk-
>>>>> biz at lists.digium.com>
>>>>> Sent: Wed May 13 19:27:03 2009
>>>>> Subject: Re: [asterisk-biz] Bad routign or hack attempt ?
>>>>>
>>>>>
>>>>> Hack attempt 100%. Ban it.
>>>>>
>>>>> --- On Wed, 5/13/09, ContactTel Business <lists at contacttel.com> wrote:
>>>>>
>>>>>> From: ContactTel Business <lists at contacttel.com>
>>>>>> Subject: [asterisk-biz] Bad routign or hack attempt ?
>>>>>> To: "'Commercial and Business-Oriented Asterisk Discussion'"
>>>>> <asterisk-biz at lists.digium.com>
>>>>>> Date: Wednesday, May 13, 2009, 7:05 PM
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Seems someone at MeucciSolutions at 93.190.143.10
>>>>>> could be trying to break in ..
>>>>>>
>>>>>>
>>>>>>
>>>>>> Anyone have heard of any of the 2
>>>>>> parts of the uri ?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Inline Attachment Follows-----
>>>>>>
>>>>>> _______________________________________________
>>>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>>>
>>>>>> asterisk-biz mailing list
>>>>>> To UNSUBSCRIBE or update options visit:
>>>>>>    http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>>>
>>>>> _______________________________________________
>>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>>
>>>>> asterisk-biz mailing list
>>>>> To UNSUBSCRIBE or update options visit:
>>>>>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>>>
>>>>> This message is intended only for the use of the individual (s) or
>>>>> entity to which it is addressed and may contain information that is
>>>>> privileged, confidential, and/or proprietary to Calling Circles LLC and
>>>>> its affiliates. If the reader of this message is not the intended
>>>>> recipient, you are hereby notified that any dissemination,
>>>>> distribution, forwarding or copying of this communication is prohibited
>>>>> without the express permission of the sender. If you have received this
>>>>> communication in error, please notify the sender immediately and delete
>>>>> the original message.
>>>>> _______________________________________________
>>>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>>>
>>>>> asterisk-biz mailing list
>>>>> To UNSUBSCRIBE or update options visit:
>>>>>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>>>
>>>
>>> _______________________________________________
>>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>>
>>> asterisk-biz mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>    http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>>
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> asterisk-biz mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>
> This message is intended only for the use of the individual (s) or entity to which it is addressed and may contain information that is privileged, confidential, and/or proprietary to Calling Circles LLC and its affiliates. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, forwarding or copying of this communication is prohibited without the express permission of the sender. If you have received this communication in error, please notify the sender immediately and delete the original message.
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-biz

This message is intended only for the use of the individual (s) or entity to which it is addressed and may contain information that is privileged, confidential, and/or proprietary to Calling Circles LLC and its affiliates. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, forwarding or copying of this communication is prohibited without the express permission of the sender. If you have received this communication in error, please notify the sender immediately and delete the original message.



More information about the asterisk-biz mailing list