[asterisk-security] Person Trying to Register on my Asterisk multiple times

Johansson Olle E oej at edvina.net
Fri Jan 23 15:51:46 CST 2009 

23 jan 2009 kl. 22.36 skrev Christopher Gray:

> Hello:
>
> Beginning on January 6, it appears that somebody has been trying to  
> hack into
> my Asterisk.  They have tried on the 7th, 9th, and the 20th.  The  
> messages file
> in /var/log/Asterisk shows entries like this:
>
> [Jan 20 13:39:40] NOTICE[5130] chan_sip.c: Registration from
> '"1072963462"<sip:1072963462 at 198.144.206.28>' failed for  
> '212.174.78.60' - No matching peer found
>
> [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from
> '"100"<sip:100 at 198.144.206.28>' failed for '212.174.78.60' - No  
> matching peer found
>
> [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from
> '"101"<sip:101 at 198.144.206.28>' failed for '212.174.78.60' - No  
> matching peer found
>
> [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from
> '"102"<sip:102 at 198.144.206.28>' failed for '212.174.78.60' - No  
> matching peer found
>
> [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from
> '"103"<sip:103 at 198.144.206.28>' failed for '212.174.78.60' - No  
> matching peer found
>
> The sip:101 sip:102 and so on goes up until sip:9975.  This began at  
> 13:39:40
> and ended at 13:42:51.  Entries began at line 970 of the log file  
> and ended at
> 8016 for a total of 7,041 occurrences.
>
> How worried should I be about this and what should I do to stop  
> further
> attempts?

Attacks are never fun. Use the ACL (permit/deny)  in sip.conf to block  
this IP or range of IPs at least.
Or use IPtables. There are a lot of IPtables scripts to prevent this  
kind of attacks if you look at the
solutions for the very common SSH attacks that keep testing multiple  
usernames. Maybe someone on the list has a version for SIP attempts  
over TCP and/or UDP?

It's always good to have a bit less obvious peer names than the ones  
they test. Don't use usernames or extension numbers. Make sure you  
separate the namespaces. Kevin usually suggest Ethernet MAC addresses,  
which are harder to guess, but still relates to something even though  
they do have a well-known pattern.

Finally, it's important to make sure you have good passwords. There's  
no reason to have simple passwords in something you only install in  
software in devices or applications. There's no user who has to learn  
to remember the MD5 auth secrets.

That's my 10 cents. Please, list, fill in and correct me when wrong!
/O

More information about the asterisk-security mailing list