<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV>Thanks again. I really appreciate any advice that can help me identify how they gained access. I don't think it's a process of them gaining access through my DID. I enabled the full logging in logger.conf and a few things popped up in the full log which show me a few things. I have limited knowledge about all this so I could use more input on what this means. But apparently they did something to gain access by trying to register several IP address at once.</DIV>
<DIV> </DIV>
<DIV>Aug 29 23:11:51] NOTICE[92568] chan_sip.c: Registration from '"94.23.222.75:5060.....85.31.178.110.....203.174.41.18....190.10.27.80"<sip:100@98.242.233.74>' failed for '188.161.221.100' - No matching peer found</DIV>
<DIV>[Aug 30 00:37:40] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<sip:100@98.242.233.74>' failed for '109.253.85.228' - No matching peer found<BR>[Aug 30 00:37:40] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<sip:100@98.242.233.74>' failed for '109.253.85.228' - No matching peer found<BR></DIV>
<DIV><STRONG><FONT color=#ff0000>NOTICE HERE THE LOGIN FOR EXT #100 FAILS BECUASE THERE IS NO EXT #100</FONT></STRONG></DIV>
<DIV><STRONG><FONT color=#ff0000>BUT ONLY 5 SECONDS LATER THEY WERE IN AND DIALING A CALL</FONT></STRONG></DIV>
<DIV><STRONG><FONT color=#ff0000>IP ADDRESS 109.253.85.228 ORIGINATES IN ISRAEL</FONT></STRONG></DIV>
<DIV> </DIV>
<DIV>[Aug 30 00:37:55] VERBOSE[92568] logger.c: -- Executing [011972599544327@default:1] Set("SIP/98.242.233.74-00000004", "CALLERID(all)=xxxxxxxxxxx") in new stack<BR>[Aug 30 00:37:55] VERBOSE[92568] logger.c: -- Executing [011972599544327@default:2] Dial("SIP/98.242.233.74-00000004", "SIP/xxx/011972599544327,,wWFotThH") in new stack<BR>[Aug 30 00:37:55] VERBOSE[92568] logger.c: -- Called xxx/011972599544327<BR>[Aug 30 00:37:56] VERBOSE[92568] logger.c: -- SIP/xxx-00000005 is making progress passing it to SIP/98.242.233.74-00000004<BR>[Aug 30 00:37:58] VERBOSE[92568] logger.c: -- Got SIP response 402 "Zero balance" back from 204.74.213.5<BR>[Aug 30 00:37:58] VERBOSE[92568] logger.c: -- No one is available to answer at this time (1:0/0/0)<BR>[Aug 30 00:37:58] VERBOSE[92568] logger.c: --
Executing [011972599544327@default:3] PlayTones("SIP/98.242.233.74-00000004", "congestion") in new stack<BR>[Aug 30 00:37:58] VERBOSE[92568] logger.c: -- Executing [011972599544327@default:4] Hangup("SIP/98.242.233.74-00000004", "") in new stack<BR>[Aug 30 00:37:58] VERBOSE[92568] logger.c: == Spawn extension (default, 011972599544327, 4) exited non-zero on 'SIP/98.242.233.74-00000004'<BR>[Aug 30 00:38:00] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<sip:100@98.242.233.74>' failed for '109.253.85.228' - No matching peer found<BR></DIV>
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt"><BR>
<DIV style="FONT-FAMILY: arial, helvetica, sans-serif; FONT-SIZE: 13px"><FONT size=2 face=Tahoma>
<HR SIZE=1>
<B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> Vahan Yerkanian <vahan@arminco.com><BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> Asterisk on BSD discussion <asterisk-bsd@lists.digium.com><BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Mon, August 30, 2010 9:42:35 AM<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [Asterisk-bsd] Securing Asterisk with a DID<BR></FONT><BR> On 8/30/10 4:34 PM, Frank Griffith wrote:<BR>> Executing [011972599544327@default:1]<BR>This is perhaps one of the worst things you can ever do with Asterisk - <BR>putting toll access into the default context. Never put anything you <BR>don't want to be accessible to unauthenticated guests there.<BR><BR>Your Asterisk server with that config is an open gateway, and anyone can <BR>dial through it if they try to dial SIP/011something@your_ip.<BR><BR>Solution: move everything out of the default context in extensions.conf <BR>or .ael,
leaving it empty, and place all the extensions instead in a <BR>different context.<BR><BR>Assign your devices and/or DID accounts to that context so the <BR>extensions are still available to them, f.e.<BR><BR>[myDIDprovider]<BR>type=user<BR>host=ipaddr_or_hostname<BR>context=my_context<BR>disallow=all<BR>allow=whatever_codec(s)<BR>qualify=yes<BR><BR>[201] ; a sip account<BR>type=friend<BR>host=dynamic<BR>secret=verysecretandlonghash<BR>context=my_context<BR>disallow=all<BR>allow=whatever_codec(s)<BR>qualify=yes<BR><BR>These are rough examples, but should be enough for the start. Yeah, and <BR>make sure you have alwaysauthreject=yes in sip.conf<BR><BR>Hope this helps,<BR>Vahan<BR><BR><BR>-- <BR>_____________________________________________________________________<BR>-- Bandwidth and Colocation Provided by http://www.api-digital.com --<BR><BR>Asterisk-BSD mailing list<BR>To UNSUBSCRIBE or update options visit:<BR>
http://lists.digium.com/mailman/listinfo/asterisk-bsd<BR></DIV></DIV></div><br>
</body></html>