<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV>Well obviously there is a remote SIP connecting. But my server is not setup to allow any remote connections. According to the VOIP provider I've been brute force attacked yet Asterisk leaves no log information as to which account was logged into. Thus I'm still stuck trying to figure out what happened.</DIV>
<DIV> </DIV>
<DIV>My server does login to my VOIP provider via sip. So if I understand your question correctly the answer is no. I do not have nor do I allow any remote SIP connections, yet the evidence is there that someone connected remotely and dialed some numbers.</DIV>
<DIV> </DIV>
<DIV>I guess this is showing how security is still a very misunderstood topic.<BR></DIV>
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt"><BR>
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt"><FONT size=2 face=Tahoma>
<HR SIZE=1>
<B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> Giancarlo Rubio <gianrubio@gmail.com><BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> Asterisk on BSD discussion <asterisk-bsd@lists.digium.com><BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Mon, August 30, 2010 10:24:22 AM<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [Asterisk-bsd] Securing Asterisk with a DID<BR></FONT><BR>Did you have remote sip that connect in your asterisk, not your asterisk to remote??
<DIV>If no drop port 5060 in your external interface via firewall rule like</DIV>
<DIV><BR></DIV>
<DIV>block drop on $ext_if from any to $ext_ip port 5060<BR><BR>
<DIV class=gmail_quote>2010/8/30 Frank Griffith <SPAN dir=ltr><<A href="mailto:glassdude45@yahoo.com" rel=nofollow target=_blank ymailto="mailto:glassdude45@yahoo.com">glassdude45@yahoo.com</A>></SPAN><BR>
<BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote>
<DIV>
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt">
<DIV>Thanks again. I really appreciate any advice that can help me identify how they gained access. I don't think it's a process of them gaining access through my DID. I enabled the full logging in logger.conf and a few things popped up in the full log which show me a few things. I have limited knowledge about all this so I could use more input on what this means. But apparently they did something to gain access by trying to register several IP address at once.</DIV>
<DIV> </DIV>
<DIV>Aug 29 23:11:51] NOTICE[92568] chan_sip.c: Registration from '"94.23.222.75:5060.....85.31.178.110.....203.174.41.18....190.10.27.80"<<A href="mailto:sip%3A100@98.242.233.74" rel=nofollow target=_blank ymailto="mailto:sip%3A100@98.242.233.74">sip:100@98.242.233.74</A>>' failed for '188.161.221.100' - No matching peer found</DIV>
<DIV>[Aug 30 00:37:40] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<<A href="mailto:sip%3A100@98.242.233.74" rel=nofollow target=_blank ymailto="mailto:sip%3A100@98.242.233.74">sip:100@98.242.233.74</A>>' failed for '109.253.85.228' - No matching peer found<BR>[Aug 30 00:37:40] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<<A href="mailto:sip%3A100@98.242.233.74" rel=nofollow target=_blank ymailto="mailto:sip%3A100@98.242.233.74">sip:100@98.242.233.74</A>>' failed for '109.253.85.228' - No matching peer found<BR></DIV>
<DIV><STRONG><FONT color=#ff0000>NOTICE HERE THE LOGIN FOR EXT #100 FAILS BECUASE THERE IS NO EXT #100</FONT></STRONG></DIV>
<DIV><STRONG><FONT color=#ff0000>BUT ONLY 5 SECONDS LATER THEY WERE IN AND DIALING A CALL</FONT></STRONG></DIV>
<DIV><STRONG><FONT color=#ff0000>IP ADDRESS 109.253.85.228 ORIGINATES IN ISRAEL</FONT></STRONG></DIV>
<DIV> </DIV>
<DIV>[Aug 30 00:37:55] VERBOSE[92568] logger.c: -- Executing [011972599544327@default:1] Set("SIP/98.242.233.74-00000004", "CALLERID(all)=xxxxxxxxxxx") in new stack<BR>[Aug 30 00:37:55] VERBOSE[92568] logger.c: -- Executing [011972599544327@default:2] Dial("SIP/98.242.233.74-00000004", "SIP/xxx/011972599544327,,wWFotThH") in new stack<BR>[Aug 30 00:37:55] VERBOSE[92568] logger.c: -- Called xxx/011972599544327<BR>[Aug 30 00:37:56] VERBOSE[92568] logger.c: -- SIP/xxx-00000005 is making progress passing it to SIP/98.242.233.74-00000004<BR>[Aug 30 00:37:58] VERBOSE[92568] logger.c: -- Got SIP response 402 "Zero balance" back from 204.74.213.5<BR>[Aug 30 00:37:58] VERBOSE[92568] logger.c: -- No one is available to answer at this time (1:0/0/0)<BR>[Aug 30 00:37:58] VERBOSE[92568] logger.c: --
Executing [011972599544327@default:3] PlayTones("SIP/98.242.233.74-00000004", "congestion") in new stack<BR>[Aug 30 00:37:58] VERBOSE[92568] logger.c: -- Executing [011972599544327@default:4] Hangup("SIP/98.242.233.74-00000004", "") in new stack<BR>[Aug 30 00:37:58] VERBOSE[92568] logger.c: == Spawn extension (default, 011972599544327, 4) exited non-zero on 'SIP/98.242.233.74-00000004'<BR>[Aug 30 00:38:00] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<<A href="mailto:sip%3A100@98.242.233.74" rel=nofollow target=_blank ymailto="mailto:sip%3A100@98.242.233.74">sip:100@98.242.233.74</A>>' failed for '109.253.85.228' - No matching peer found<BR></DIV>
<DIV style="FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt"><BR>
<DIV style="FONT-FAMILY: arial, helvetica, sans-serif; FONT-SIZE: 13px"><FONT size=2 face=Tahoma>
<HR SIZE=1>
<B><SPAN style="FONT-WEIGHT: bold">From:</SPAN></B> Vahan Yerkanian <<A href="mailto:vahan@arminco.com" rel=nofollow target=_blank ymailto="mailto:vahan@arminco.com">vahan@arminco.com</A>><BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> Asterisk on BSD discussion <<A href="mailto:asterisk-bsd@lists.digium.com" rel=nofollow target=_blank ymailto="mailto:asterisk-bsd@lists.digium.com">asterisk-bsd@lists.digium.com</A>><BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Mon, August 30, 2010 9:42:35 AM<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [Asterisk-bsd] Securing Asterisk with a DID<BR></FONT><BR> On 8/30/10 4:34 PM, Frank Griffith wrote:<BR>> Executing [011972599544327@default:1]<BR>This is perhaps one of the worst things you can ever do with Asterisk - <BR>putting toll access into the default context. Never put anything you <BR>don't want to be accessible to unauthenticated guests there.<BR><BR>Your
Asterisk server with that config is an open gateway, and anyone can <BR>dial through it if they try to dial SIP/011something@your_ip.<BR><BR>Solution: move everything out of the default context in extensions.conf <BR>or .ael, leaving it empty, and place all the extensions instead in a <BR>different context.<BR><BR>Assign your devices and/or DID accounts to that context so the <BR>extensions are still available to them, f.e.<BR><BR>[myDIDprovider]<BR>type=user<BR>host=ipaddr_or_hostname<BR>context=my_context<BR>disallow=all<BR>allow=whatever_codec(s)<BR>qualify=yes<BR><BR>[201] ; a sip account<BR>type=friend<BR>host=dynamic<BR>secret=verysecretandlonghash<BR>context=my_context<BR>disallow=all<BR>allow=whatever_codec(s)<BR>qualify=yes<BR><BR>These are rough examples, but should be enough for the start. Yeah, and <BR>make sure you have alwaysauthreject=yes in sip.conf<BR><BR>Hope this helps,<BR>Vahan<BR><BR><BR>--
<BR>_____________________________________________________________________<BR>-- Bandwidth and Colocation Provided by http://www.api-digital.com --<BR><BR>Asterisk-BSD mailing list<BR>To UNSUBSCRIBE or update options visit:<BR> http://lists.digium.com/mailman/listinfo/asterisk-bsd<BR></DIV></DIV></DIV><BR></DIV><BR>--<BR>_____________________________________________________________________<BR>-- Bandwidth and Colocation Provided by <A href="http://www.api-digital.com/" rel=nofollow target=_blank>http://www.api-digital.com</A> --<BR><BR>Asterisk-BSD mailing list<BR>To UNSUBSCRIBE or update options visit:<BR> <A href="http://lists.digium.com/mailman/listinfo/asterisk-bsd" rel=nofollow target=_blank>http://lists.digium.com/mailman/listinfo/asterisk-bsd</A><BR></BLOCKQUOTE></DIV><BR><BR clear=all><BR>-- <BR>Giancarlo Rubio<BR><BR></DIV></DIV></DIV></div><br>
</body></html>