[asterisk-users] sip extension compromised, need help blocking brute force attempts

David Backeberg dbackeberg at gmail.com
Mon Jun 30 13:31:32 CDT 2008


Do a reverse lookup on your attacker.
Then find their ISP.
Then file an abuse complaint.

On Mon, Jun 30, 2008 at 12:15 PM, spectro <spectro at gmail.com> wrote:
> Hello, yesterday one of the extensions on my asterisk server got
> compromised by brute-force attack. The attacker used it to try pull an
> identity theft scam playing a recording from a bank "your account has
> been blocked due to unusual activity, please call this number..."
>
> Attacker managed to make lots of calls for around 8 hours before I
> detected it and changed the password for that extension. As of this
> morning it is still attempting to brute force the password for that
> extension again. I need a way to block that IP from connecting to my
> asterisk server, please advice.
>
> --- sip debug ---
> Using INVITE request as basis request -
> 49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
> Sending to 74.52.112.162 : 5060 (NAT)
> Found user '211'
> Reliably Transmitting (NAT) to 74.52.112.162:5060:
> SIP/2.0 403 Forbidden
> Via: SIP/2.0/UDP
> 74.52.112.162:5060;branch=z9hG4bK3b28fa36;received=74.52.112.162;rport=5060
> From: "ASLPLS" <sip:211 at 69.13.xx.xxx>;tag=as130a4d39
> To: <sip:19037292454 at 69.13.xx.xxx>;tag=as0c69057b
> Call-ID: 49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
> CSeq: 103 INVITE
> User-Agent: Asterisk PBX
> llow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
> Contact: <sip:19037292454 at 69.13.xx.xxx>
> Content-Length: 0
> --- sip debug ---
>
> That box is currently running Trixbox 1.2.3. I have iptables disabled.
> If anybody can give me a simple ruleset that allows all traffic except
> ip 74.52.112.162 to port 5060 I will really appreciate it.
>
> Are there mechanisms in Asterisk to detect and automatically block
> these brute force attempts?
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>



More information about the asterisk-users mailing list