[asterisk-users] Asterisk SIP attacks and sshguard

Gary Kuznitz docfxit at theoffice.la
Thu Dec 9 15:28:25 UTC 2010


I'm not sure if this is the log entry you are looking for.  I had many of these last 
night.

[Dec  9 06:47:51] NOTICE[5630]: chan_sip.c:15593 handle_request_register: 
Registration from '"106" <sip:106 at MyWanAddress>' failed for '121.11.158.174' - 
Wrong password

If you need more information from this Asterisk box let me know.  I need to find a 
way to block these also.

Gary

On 9 Dec 2010 at 7:57, Joe (Joe Greco <asterisk-users at lists.digium.com>) commented 
about [asterisk-users] Asterisk SIP attac:

> Hello,
> 
> We had been seeing SIP-guessing attacks on our Asterisk server here.
> 
> While it wasn't that hard to write a once-a-minute cron job to spank
> the lusers, that runs once a minute and creates little spikes in the
> usage and I/O graphs, and is slower to respond than I'd really prefer.
> I felt that it'd be much cooler to get something more comprehensive 
> put together.  We don't use fail2ban because I don't like having to 
> install python.
> 
> sshguard is a high-performance compiled C application that can run
> off a log file or a pipe from syslogd to sshguard, meaning that it
> can respond a lot more quickly than once a minute, and works with
> very modest overhead on the host system.  It also has features such
> as touchiness, so that it can get tougher on a miscreant as time goes
> on; my own shell script is naive in that once it passes a threshold,
> there's just a permanent rule generated.  This worries me if I ever
> have a situation where a legitimate remote client gets messed up and
> tries the wrong password or something like that; sshguard does a much
> nicer job in this regard.
> 
> In any case, my initial attempts to create rules for sshguard didn't
> work right, quite possibly because I don't often work in LEX/YACC.
> I submitted a request to the sshguard guys suggesting new rules.
> 
> http://www.sshguard.net/support/submission/detail/49ce7182028d8b6f3e3d/
> 
> and on their mailing list, a little more:
> 
> http://sourceforge.net/mailarchive/forum.php?thread_name=F4E10075-5D93-43B4-B73A-1FD217BE130D%40sshguard.net&forum_name=sshguard-users
> 
> In particular, they're looking for log examples of some of those 
> messages, but I have no idea how to generate the conditions that would
> cause these messages.  I'm also not sure if there's a way to disable
> color codes in the Asterisk log files; we log indirectly via BSD's
> "logger"
> 
> # asterisk -vvv 2>&1 | logger -t asterisk
> 
> so it may be thinking that the console is color-capable.  We use this
> method because this forces them through the syslog mechanism; we need 
> that for centralized logging, and it's handy for things like sshguard
> too.
> 
> Specifically looking for examples of (or how to generate)
> 
> 1)	.*No registration for peer '.*' (from <HOST>)
> 2)	.*Host <HOST> failed MD5 authentication for '.*' (.*)
> 3)	.*Failed to authenticate user .*@<HOST>.*
> 
> If anyone who is more familiar with the attacks or how to generate
> these messages would give me some assistance, or chime in on the
> sshguard-users list, that'd be most appreciated.
> 
> Thanks.
> 
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
> With 24 million small businesses in the US alone, that's way too many apples.
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users





More information about the asterisk-users mailing list