[asterisk-users] sip extension compromised, need help blocking brute force attempts
Mark Hamilton
mark.h at cage151.com
Mon Jun 30 14:33:28 CDT 2008
iptables -A INPUT -p tcp -s 74.52.112.162 -j DROP
Good luck.
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of spectro
Sent: June 30, 2008 12:15 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] sip extension compromised, need help blocking
brute force attempts
Hello, yesterday one of the extensions on my asterisk server got
compromised by brute-force attack. The attacker used it to try pull an
identity theft scam playing a recording from a bank "your account has
been blocked due to unusual activity, please call this number..."
Attacker managed to make lots of calls for around 8 hours before I
detected it and changed the password for that extension. As of this
morning it is still attempting to brute force the password for that
extension again. I need a way to block that IP from connecting to my
asterisk server, please advice.
--- sip debug ---
Using INVITE request as basis request -
49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
Sending to 74.52.112.162 : 5060 (NAT)
Found user '211'
Reliably Transmitting (NAT) to 74.52.112.162:5060:
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
74.52.112.162:5060;branch=z9hG4bK3b28fa36;received=74.52.112.162;rport=5060
From: "ASLPLS" <sip:211 at 69.13.xx.xxx>;tag=as130a4d39
To: <sip:19037292454 at 69.13.xx.xxx>;tag=as0c69057b
Call-ID: 49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
CSeq: 103 INVITE
User-Agent: Asterisk PBX
llow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Contact: <sip:19037292454 at 69.13.xx.xxx>
Content-Length: 0
--- sip debug ---
That box is currently running Trixbox 1.2.3. I have iptables disabled.
If anybody can give me a simple ruleset that allows all traffic except
ip 74.52.112.162 to port 5060 I will really appreciate it.
Are there mechanisms in Asterisk to detect and automatically block
these brute force attempts?
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
AstriCon 2008 - September 22 - 25 Phoenix, Arizona
Register Now: http://www.astricon.net
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list