[asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

J. Oquendo asterisk at tormenting.net
Mon Aug 30 11:48:54 CDT 2010 

Gordon Henderson wrote:

> >
> > So.. Get a copy of the sipvicious code from http://blog.sipvicious.org/ 
> > (or directly from http://code.google.com/p/sipvicious/ ) and learn how to 
> > use svcrash.py as that's the only thing that's going to ultimately stop a 
> > long-term attack on your site. For now, anyway.
> >
> > Gordon
> >   
>   
You're wrong when you state: "that's the only thing that's going to
ultimately stop" The fact of the matter is, its quite simple to block
attackers without relying on anything other than good old fashioned
systems/network administration.

>From the onset, if possible a "block all" "allow in whom_I_specify"
should be the Golden Rule on any environment however, in the real world
there are times when we can't just do something as simple as that. So
what's the next best thing? Good old fashioned administration:

# tail -n 10 /var/log/asterisk/messages
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"yzlj"<sip:yzlj at 208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zdcu"<sip:zdcu at 208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zdur"<sip:zdur at 208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zmug"<sip:zmug at 208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zoej"<sip:zoej at 208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zpcp"<sip:zpcp at 208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zxnj"<sip:zxnj at 208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zygq"<sip:zygq at 208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zyjb"<sip:zyjb at 208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zynh"<sip:zynh at 208.50.53.107>' failed for '69.72.242.170' - No
matching peer found

How about a little cron script without having to install anything? You
could run it off the hour:

rightnow=`date "+%Y-%m-%d %k"`

grep $rightnow /var/log/asterisk/messages |\
awk '/No matching peer/' | sed's:'\''::g' |\
uniq | awk '{print "iptables -A INPUT -s "$1" -j DROP"}'| sh

I've done my own IPS/IDS and honeypots on Asterisk and I can tell you
there are other ways to minimize the attempts and the attacks without
even running ANYTHING against your machine. I can tell you from
EXPERIENCE and watching and analyze about 2-3 years worth of VoIP
attacks, you'd be extremely wrong to think that sipvicious is the only
tool in someone's arsenal. Secondly, I've seen patient attackers test
accounts 1 at a time so don't think for a moment that by solely running
sipvicious and checking the results, you're in the clear.


| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-08 | 09:15:03   |
2010-08-08 | 09:15:03  | 125.71.212.123  | 1        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-23 | 01:28:45   |
2010-08-23 | 01:28:45  | 82.201.218.31   | 1        |


mysql> use arkeos

Database changed
mysql> select * from bruteforcers where start_date like '%2010-08%';
+------------------------------------------+------------+------------+------------+-----------+-----------------+----------+
| hostid                                   | start_date | start_time |
stop_date  | stop_time | attacker        | attempts |
+------------------------------------------+------------+------------+------------+-----------+-----------------+----------+
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-02 | 12:28:22   |
2010-08-02 | 12:58:27  | 88.42.207.98    | 54644    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-04 | 11:46:29   |
2010-08-04 | 11:48:18  | 93.35.113.170   | 9975     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-04 | 13:08:48   |
2010-08-04 | 13:09:16  | 210.22.14.113   | 4187     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-06 | 01:51:15   |
2010-08-06 | 02:26:43  | 187.63.73.3     | 142904   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-08 | 09:15:03   |
2010-08-08 | 09:15:03  | 125.71.212.123  | 1        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-08 | 15:42:59   |
2010-08-08 | 17:07:54  | 217.174.169.29  | 108120   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-08 | 18:20:40   |
2010-08-08 | 18:53:58  | 61.218.212.75   | 79195    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-08 | 19:07:25   |
2010-08-08 | 19:39:52  | 72.166.143.8    | 50073    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-10 | 19:20:27   |
2010-08-10 | 19:21:02  | 61.164.41.144   | 2797     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-11 | 10:54:14   |
2010-08-11 | 12:24:36  | 222.73.93.143   | 128352   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-11 | 16:07:32   |
2010-08-11 | 16:20:12  | 218.249.33.23   | 2029     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-14 | 02:42:13   |
2010-08-14 | 02:42:49  | 85.25.20.51     | 3631     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-15 | 12:50:13   |
2010-08-15 | 12:50:13  | 220.128.103.139 | 1        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-15 | 15:55:48   |
2010-08-15 | 17:10:28  | 64.15.159.171   | 148217   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-16 | 09:40:00   |
2010-08-16 | 09:53:25  | 91.121.132.176  | 3039     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-20 | 21:21:48   |
2010-08-20 | 21:30:44  | 115.146.19.233  | 32018    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-21 | 22:59:17   |
2010-08-21 | 23:56:59  | 66.246.127.233  | 110170   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-22 | 14:35:34   |
2010-08-22 | 14:58:35  | 210.17.189.84   | 83977    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-22 | 15:06:26   |
2010-08-22 | 16:27:03  | 209.172.57.41   | 144106   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-23 | 01:28:45   |
2010-08-23 | 01:28:45  | 82.201.218.31   | 1        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-23 | 21:54:40   |
2010-08-23 | 23:14:47  | 64.22.82.135    | 167086   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-24 | 01:23:09   |
2010-08-24 | 01:23:09  | 62.84.34.18     | 1        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-25 | 07:54:02   |
2010-08-25 | 07:55:54  | 38.99.168.133   | 16022    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-25 | 17:19:20   |
2010-08-25 | 17:49:20  | 218.18.9.155    | 88302    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-26 | 18:01:01   |
2010-08-26 | 19:36:12  | 208.86.252.86   | 166780   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-26 | 19:32:37   |
2010-08-26 | 21:08:50  | 86.122.211.134  | 113078   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-26 | 21:02:34   |
2010-08-26 | 21:02:50  | 173.1.78.157    | 2535     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-26 | 21:33:23   |
2010-08-26 | 23:21:33  | 91.203.134.34   | 167334   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-26 | 22:47:08   |
2010-08-26 | 23:57:03  | 91.202.26.233   | 76167    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-27 | 09:57:44   |
2010-08-27 | 10:48:07  | 66.197.145.85   | 228134   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-27 | 13:50:45   |
2010-08-27 | 13:50:47  | 119.255.6.100   | 315      |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-27 | 13:56:36   |
2010-08-27 | 14:16:48  | 119.145.9.190   | 96698    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-27 | 21:23:11   |
2010-08-27 | 23:01:52  | 84.23.73.232    | 105549   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-29 | 06:50:41   |
2010-08-29 | 06:54:53  | 64.199.151.238  | 0        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-29 | 06:50:41   |
2010-08-29 | 06:54:53  | 64.199.151.238  | 6168     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-29 | 19:19:22   |
2010-08-29 | 19:36:39  | 69.72.242.170   | 115256   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-29 | 19:19:22   |
2010-08-29 | 19:36:39  | 69.72.242.170   | 6168     |
+------------------------------------------+------------+------------+------------+-----------+-----------------+----------+


-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J.
Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to
build a reputation and five minutes to ruin it. If you think about that,
you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA
4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the asterisk-users mailing list