[asterisk-users] sip extension compromised, need help blocking brute force attempts

Duncan Turnbull duncan at e-simple.co.nz
Mon Jun 30 16:31:27 CDT 2008


Try some of the shell scripts in the asteriskcookbook recipe heap

http://asteriskcookbook.com/wiki/index.php/RecipeHeap

Specifically
http://asteriskcookbook.com/wiki/index.php/Asterisk_Brute_Force_Prevention

Cheers Duncan

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Mark Hamilton
Sent: Tuesday, 1 July 2008 07:33
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: Re: [asterisk-users] sip extension compromised,need help blocking brute force attempts

iptables -A INPUT -p tcp -s 74.52.112.162 -j DROP
Good luck.

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of spectro
Sent: June 30, 2008 12:15 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] sip extension compromised, need help blocking
brute force attempts

Hello, yesterday one of the extensions on my asterisk server got
compromised by brute-force attack. The attacker used it to try pull an
identity theft scam playing a recording from a bank "your account has
been blocked due to unusual activity, please call this number..."

Attacker managed to make lots of calls for around 8 hours before I
detected it and changed the password for that extension. As of this
morning it is still attempting to brute force the password for that
extension again. I need a way to block that IP from connecting to my
asterisk server, please advice.

--- sip debug ---
Using INVITE request as basis request -
49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
Sending to 74.52.112.162 : 5060 (NAT)
Found user '211'
Reliably Transmitting (NAT) to 74.52.112.162:5060:
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
74.52.112.162:5060;branch=z9hG4bK3b28fa36;received=74.52.112.162;rport=5060
From: "ASLPLS" <sip:211 at 69.13.xx.xxx>;tag=as130a4d39
To: <sip:19037292454 at 69.13.xx.xxx>;tag=as0c69057b
Call-ID: 49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
CSeq: 103 INVITE
User-Agent: Asterisk PBX
llow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Contact: <sip:19037292454 at 69.13.xx.xxx>
Content-Length: 0
--- sip debug ---

That box is currently running Trixbox 1.2.3. I have iptables disabled.
If anybody can give me a simple ruleset that allows all traffic except
ip 74.52.112.162 to port 5060 I will really appreciate it.

Are there mechanisms in Asterisk to detect and automatically block
these brute force attempts?

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

AstriCon 2008 - September 22 - 25 Phoenix, Arizona
Register Now: http://www.astricon.net

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

AstriCon 2008 - September 22 - 25 Phoenix, Arizona
Register Now: http://www.astricon.net

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




More information about the asterisk-users mailing list