[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny
Gordon Henderson
gordon+asterisk at drogon.net
Mon Aug 30 07:19:15 CDT 2010
On Mon, 30 Aug 2010, Nikhil Nair wrote:
> Hi,
>
> I've recently had a fairly prolonged SIP registration attack, 18 hours in
> this case and often with 200 attempts per second, and suspect I've had a
> number of these in the past.
Almost everyone has - read the fine archives, then google for sipvicious
because that's what they're using.
18-hours eh? This recent one broke my record - just under 3 days. See
this:
http://unicorn.drogon.net/hack1.png
green is inbound - all from one site belonging to a Romanian telephone/ISP
- sustained from Thursday evening until Sunday lunchtime.
The real issue here is that most of the hackers I've had attack me and my
clients are using an older version of sipvicious - and the problem with
that is that it will not go away when you firewall it, so using fail2ban,
etc. is a waste of time against it - it might protect your asterisk box,
but it won't protect your network. In the above case I had, I added
firewalling into the router where the blue-line output line went to zero
on Thursday evening (I was playing with it on Friday morning which is why
there's output from it then)
However because the ISP in this case counts all traffic coming in, it
counted against their monthly allowance - that for me and my clients is
going to be the killer more than anything else - we can firewall against
these things, but sipvicious doesn't care - it just keeps on pumping the
data towards you and your ISP keeps on incrementing the counters and
billing you for it (and I've yet to find a UK ISP who will put in a block
at their border against this sort of thing - actually, I know one, but
they're too expensive for most).
At least the older versions of sipvicious behave this way, but when do
criminals bother to upgrade their software? They don't seem to care -
they've already stolen resources, so it's no big issue to them.
This problems is not going to go away - if anything, I reckon it will get
worse in the near future. Fail2ban, etc. is not going to protect you from
broken versions of sipvicious. Anyone who can not firewall their inbound
SIP port to a known set of IP addresses is inviting attack, and they will
be attacked. The sipvicious tools make scanning very easy indeed, so you
will have to take additional measures if you want to save your bandwidth
and sanity.
So.. Get a copy of the sipvicious code from http://blog.sipvicious.org/
(or directly from http://code.google.com/p/sipvicious/ ) and learn how to
use svcrash.py as that's the only thing that's going to ultimately stop a
long-term attack on your site. For now, anyway.
Gordon
More information about the asterisk-users
mailing list