[asterisk-users] Hacked

[ContactTel Business]

Nice, share the knowledge and send the fail2ban rule ;) ill post mine's 

 

From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Jaswinder
Singh
Sent: April-08-09 5:34 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Hacked

 

Here's what fail2ban service caught

The IP 89.111.184.221 has just been banned by Fail2Ban after
80 attempts against ASTERISK.





On Wed, Apr 8, 2009 at 7:01 PM, Tilghman Lesher
<tilghman at mail.jeffandtilghman.com> wrote:

On Tuesday 07 April 2009 11:28:52 Tilghman Lesher wrote:
> The recent vulnerability had nothing to do with this, but with the ability
> of an attacker to scan a SIP server for legitimate usernames and
passwords.
> This, by the way, merely took advantage of the SIP protocol, as written.
> Normally, SIP allows you to differentiate between invalid usernames (404)
> and invalid passwords (403).  What we closed in the recent vulnerability
> patch was to allow administrators to send back 403, regardless of whether
> the username existed or not.

By the way, I am VASTLY oversimplifying the return codes here for the sake
of
clarity.  The actual return code is based upon a number of factors, but it
is
modeled to return the same responses as would a bad password with a
legitimate
user account (thus making it impossible, externally, to tell the difference
between a legitimate user account and a non-existent user account).


--
Tilghman

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20090408/64dd3f8f/attachment.htm