[asterisk-users] sip extension compromised, need help blocking brute force attempts

spectro spectro at gmail.com
Mon Jun 30 11:15:24 CDT 2008


Hello, yesterday one of the extensions on my asterisk server got
compromised by brute-force attack. The attacker used it to try pull an
identity theft scam playing a recording from a bank "your account has
been blocked due to unusual activity, please call this number..."

Attacker managed to make lots of calls for around 8 hours before I
detected it and changed the password for that extension. As of this
morning it is still attempting to brute force the password for that
extension again. I need a way to block that IP from connecting to my
asterisk server, please advice.

--- sip debug ---
Using INVITE request as basis request -
49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
Sending to 74.52.112.162 : 5060 (NAT)
Found user '211'
Reliably Transmitting (NAT) to 74.52.112.162:5060:
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
74.52.112.162:5060;branch=z9hG4bK3b28fa36;received=74.52.112.162;rport=5060
From: "ASLPLS" <sip:211 at 69.13.xx.xxx>;tag=as130a4d39
To: <sip:19037292454 at 69.13.xx.xxx>;tag=as0c69057b
Call-ID: 49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
CSeq: 103 INVITE
User-Agent: Asterisk PBX
llow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Contact: <sip:19037292454 at 69.13.xx.xxx>
Content-Length: 0
--- sip debug ---

That box is currently running Trixbox 1.2.3. I have iptables disabled.
If anybody can give me a simple ruleset that allows all traffic except
ip 74.52.112.162 to port 5060 I will really appreciate it.

Are there mechanisms in Asterisk to detect and automatically block
these brute force attempts?



More information about the asterisk-users mailing list