[asterisk-users] Asterisk brute force watcher (was FYI)

Thu Apr 26 05:56:02 MST 2007

Steve Totaro wrote:
>> -----Original Message-----
>> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-
>> bounces at lists.digium.com] On Behalf Of J. Oquendo
>> Sent: Thursday, April 26, 2007 6:47 AM
>> To: Asterisk Users Mailing List - Non-Commercial Discussion
>> Subject: [asterisk-users] Asterisk brute force watcher (was FYI)
>>
>> Steve Totaro wrote:
>>     
>>> I suspect that this will happen more and more.  I also suspect that
>>>       
> many
>   
>>> people who have weak SIP credentials like user=100 secret=100 will
>>>       
> be
>   
>>> the victim of toll fraud and worse, call to 900 and other very high
>>> termination rates.  How does $25 per minute sound?
>>>
>>> Thanks,
>>> Steve Totaro
>>> http://www.asteriskhelpdesk.com
>>> KB3OPB
>>>       
>> Ashtray is an Asterisk brute force watcher. Checks logs from cron and
>> emails admin of potential brute forcers
>> http://www.infiltrated.net/scripts/ashtray
>>
>> Can have it set in .bash_profile so whenever you log on, you'd see
>> anomalies.
>>
>> --
>> ====================================================
>> J. Oquendo
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
>> echo infiltrated.net|sed 's/^/sil@/g'
>>
>> "Wise men talk because they have something to say;
>> fools, because they have to say something." -- Plato
>>
>>     
>
> Without looking, can it be configured to blacklist that IP for a given
> amount of time?  My FTP server has that ability.
>
> Thanks,
> Steve Totaro
> http://www.asteriskhelpdesk.com
> KB3OPB
>
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
>   
Depends... I myself have an extremely modified IPS like script I chopped 
up for myself. If I posted it, it would look like a horrendous 
shell+ruby+perl +awk+sed nightmare with no comments that most 
programmers would likely roll their eyes at in disgust.

Depending on how you run your Asterisk machine (DB or no DB) it should 
be doable with iptables (--flush), ipf, ipfw, etc. I have one of my 
servers set to do a few things with my script... 1) If a user attempts 
to register and fails more than 5 times ... Email me the username and IP 
address. It doesn't get blocked yet. This way no legitimate remote user 
complains... 2) If a user attempts to register and fails, check the IP 
address and see if they're trying to register using multiple names, if 
they are, then automatically block them via iptables...

I started to tinker with an entire IDS/IPS devoted to Asterisk 
(www.infiltrated.net/scripts/divinityPoC) but haven't had time to finish 
it. Besides, (and I'm sorry to say this)... Asterisk's logging 
mechanisms/errors infuriate me. Sometimes their errors make no sense - 
wth is a doohicky error you guys? So I left it alone. I've butchered it 
for managed PBX's with under 50 users, but for thousands of users, its 
no good.

Right now one of my machines has: 341 sip peers [308 online , 33 
offline] / 45 active channels : 24 active calls ... I don't even count 
how many trunks and attached * machines I have on that server. And this 
is only one of about maybe 15-20 I deal with on a daily basis...

What I had envisioned for divinity was based off of my Asteroid program 
(www.infiltrated.net/asteroid/)... Catch any anomalous SIP messages and 
nip it in the bud. The heuristics behind it though would be a full time 
job in itself so I left it alone. I may or may not continue it, but 
right now I have little incentive to. 1) Too much studying going on for 
me... 2) Work keeps me tied up... 3) Family life... Besides I've 
configured my machines to where I'm comfortable with them which was my 
main goal. Last thing I want to do is release something half done to 
hear the criticism "You're program is half baked!" blah blah...

-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g' 

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20070426/f372dfdb/smime-0001.bin