Did you have remote sip that connect in your asterisk, not your asterisk to remote??<div>If no drop port 5060 in your external interface via firewall rule like</div><div><br></div><div>block drop on $ext_if from any to $ext_ip port 5060<br>
<br><div class="gmail_quote">2010/8/30 Frank Griffith <span dir="ltr"><<a href="mailto:glassdude45@yahoo.com">glassdude45@yahoo.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><div>Thanks again. I really appreciate any advice that can help me identify how they gained access. I don't think it's a process of them gaining access through my DID. I enabled the full logging in logger.conf and a few things popped up in the full log which show me a few things. I have limited knowledge about all this so I could use more input on what this means. But apparently they did something to gain access by trying to register several IP address at once.</div>
<div> </div>
<div>Aug 29 23:11:51] NOTICE[92568] chan_sip.c: Registration from '"94.23.222.75:5060.....85.31.178.110.....203.174.41.18....190.10.27.80"<<a href="mailto:sip%3A100@98.242.233.74" target="_blank">sip:100@98.242.233.74</a>>' failed for '188.161.221.100' - No matching peer found</div>
<div>[Aug 30 00:37:40] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<<a href="mailto:sip%3A100@98.242.233.74" target="_blank">sip:100@98.242.233.74</a>>' failed for '109.253.85.228' - No matching peer found<br>
[Aug 30 00:37:40] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<<a href="mailto:sip%3A100@98.242.233.74" target="_blank">sip:100@98.242.233.74</a>>' failed for '109.253.85.228' - No matching peer found<br>
</div>
<div><strong><font color="#ff0000">NOTICE HERE THE LOGIN FOR EXT #100 FAILS BECUASE THERE IS NO EXT #100</font></strong></div>
<div><strong><font color="#ff0000">BUT ONLY 5 SECONDS LATER THEY WERE IN AND DIALING A CALL</font></strong></div>
<div><strong><font color="#ff0000">IP ADDRESS 109.253.85.228 ORIGINATES IN ISRAEL</font></strong></div>
<div> </div>
<div>[Aug 30 00:37:55] VERBOSE[92568] logger.c: -- Executing [011972599544327@default:1] Set("SIP/98.242.233.74-00000004", "CALLERID(all)=xxxxxxxxxxx") in new stack<br>[Aug 30 00:37:55] VERBOSE[92568] logger.c: -- Executing [011972599544327@default:2] Dial("SIP/98.242.233.74-00000004", "SIP/xxx/011972599544327,,wWFotThH") in new stack<br>
[Aug 30 00:37:55] VERBOSE[92568] logger.c: -- Called xxx/011972599544327<br>[Aug 30 00:37:56] VERBOSE[92568] logger.c: -- SIP/xxx-00000005 is making progress passing it to SIP/98.242.233.74-00000004<br>[Aug 30 00:37:58] VERBOSE[92568] logger.c: -- Got SIP response 402 "Zero balance" back from 204.74.213.5<br>
[Aug 30 00:37:58] VERBOSE[92568] logger.c: -- No one is available to answer at this time (1:0/0/0)<br>[Aug 30 00:37:58] VERBOSE[92568] logger.c: --
Executing [011972599544327@default:3] PlayTones("SIP/98.242.233.74-00000004", "congestion") in new stack<br>[Aug 30 00:37:58] VERBOSE[92568] logger.c: -- Executing [011972599544327@default:4] Hangup("SIP/98.242.233.74-00000004", "") in new stack<br>
[Aug 30 00:37:58] VERBOSE[92568] logger.c: == Spawn extension (default, 011972599544327, 4) exited non-zero on 'SIP/98.242.233.74-00000004'<br>[Aug 30 00:38:00] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<<a href="mailto:sip%3A100@98.242.233.74" target="_blank">sip:100@98.242.233.74</a>>' failed for '109.253.85.228' - No matching peer found<br>
</div>
<div style="font-family:times new roman, new york, times, serif;font-size:12pt"><br>
<div style="font-family:arial, helvetica, sans-serif;font-size:13px"><font size="2" face="Tahoma">
<hr size="1">
<b><span style="font-weight:bold">From:</span></b> Vahan Yerkanian <<a href="mailto:vahan@arminco.com" target="_blank">vahan@arminco.com</a>><br><b><span style="font-weight:bold">To:</span></b> Asterisk on BSD discussion <<a href="mailto:asterisk-bsd@lists.digium.com" target="_blank">asterisk-bsd@lists.digium.com</a>><br>
<b><span style="font-weight:bold">Sent:</span></b> Mon, August 30, 2010 9:42:35 AM<br><b><span style="font-weight:bold">Subject:</span></b> Re: [Asterisk-bsd] Securing Asterisk with a DID<br></font><br> On 8/30/10 4:34 PM, Frank Griffith wrote:<br>
> Executing [011972599544327@default:1]<br>This is perhaps one of the worst things you can ever do with Asterisk - <br>putting toll access into the default context. Never put anything you <br>don't want to be accessible to unauthenticated guests there.<br>
<br>Your Asterisk server with that config is an open gateway, and anyone can <br>dial through it if they try to dial SIP/011something@your_ip.<br><br>Solution: move everything out of the default context in extensions.conf <br>
or .ael,
leaving it empty, and place all the extensions instead in a <br>different context.<br><br>Assign your devices and/or DID accounts to that context so the <br>extensions are still available to them, f.e.<br><br>[myDIDprovider]<br>
type=user<br>host=ipaddr_or_hostname<br>context=my_context<br>disallow=all<br>allow=whatever_codec(s)<br>qualify=yes<br><br>[201] ; a sip account<br>type=friend<br>host=dynamic<br>secret=verysecretandlonghash<br>context=my_context<br>
disallow=all<br>allow=whatever_codec(s)<br>qualify=yes<br><br>These are rough examples, but should be enough for the start. Yeah, and <br>make sure you have alwaysauthreject=yes in sip.conf<br><br>Hope this helps,<br>Vahan<br>
<br><br>-- <br>_____________________________________________________________________<br>-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br><br>
Asterisk-BSD mailing list<br>To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-bsd" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-bsd</a><br></div></div></div><br>
</div><br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
Asterisk-BSD mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-bsd" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-bsd</a><br></blockquote></div><br><br clear="all"><br>-- <br>Giancarlo Rubio<br><br>
</div>