[asterisk-users] Is there a public blacklist of hackers' IP addresses?
Anthony Plack
tony at plack.net
Tue Mar 24 08:24:43 CDT 2009
> On Tue, Mar 24, 2009 at 8:10 AM, Tilghman Lesher
> <tilghman at mail.jeffandtilghman.com> wrote:
>> There are 4 billion possible IP addresses. To successfully block all possible
>> hackers, you must block 4 billion of them. Seriously. Even your own computer
>> is a possible source of hacking to other locations.
>
> In that case, why not just pull the ethernet cable from the router?
> That will block all spal, hacker attempts and viruses free.
>
> I use spamcop.net for email blocking and it works very well,
> especially if you participate by feeding the list. I've reported over
> 30,000 spam emails. Spamcop processes the headers intelligently and it
> figures out the actual originating IP. There is no reason why a
> properly formed list couldn't be helpful. It wouldn't put an end to
> problems, but it could be one arm in a defensive system.
>
You are assuming that Asterisk even notifies you of a bad SIP extension. Currently, I have only seen the 1.4 and earlier branches report if the SIP fails to connect with an established authentication/secret key or heaven forbid, a registered phone doesn't match the digest. (which fails registration only to be successfully registered again...pointless)
If I go after my server with SJPhone on a Direct SIP call and a bogus line, with verbose set to 100, I get this cryptic message.
[Mar 24 07:43:51] NOTICE[6061]: chan_sip.c:14634 handle_request_invite: Call from '' to extension '34235' rejected because extension not found. {yes, there is nothing in-between the quotes, I didn't remove it, this is how it is}
and then shortly thereafter
[Mar 24 07:44:11] WARNING[6061]: chan_sip.c:1976 retrans_pkt: Maximum retries exceeded on transmission 699D070E58644E7CA07285C71673D5100xc0a8a864 for seqno 1 (Critical Response) -- See doc/sip-retransmit.txt.
Needless to say this is after 7-8 SIP 404 messages have been sent for the same thing, so I get no idea of how many attempts are made. There are many SIP responses I have seen on trace routes that are not even displayed like 484. My verbose level may not have been sufficient, I realize, but it is kind of spooky. Sure 484 is useful, but hacker friendly.
Any attempt to get Asterisk hacker proof has to start with notification otherwise I am fighting ghosts.
So being a person that seeks solutions and not problems, what about a logging option similar to the CDR or Apache2 logging.
Best case, I provide Asterisk with a list of SIP codes I want to track. Asterisk then provides me with a log file indicating the details:
Time Date
IP address
From
To
Result
etc.
Something standard so I can get a tool like fail2ban around the issue.
More information about the asterisk-users
mailing list