[asterisk-users] one for your filters

Wed Jun 23 13:20:18 CDT 2010

On Wed, 23 Jun 2010, Tarek Sawah wrote:

>
> you can start by simply telling us what is the purpose of your server.. 
> and does it have long distance of overseas?? do you use Numeric 
> usernames? simple passwords? passwords the same as your username? this 
> way you can offer more info so we can help you.a quick answer will be.. 
> opening a few and blocking ALL is easier.. as you can have upto 400 
> prefix to block .. unless you call world wide.. then you will have to 
> block the countries you don't call .. another option.. make your 
> usernames more complex.. letters and numbers.. an additional option is 
> to use fail2ban with Asterisk support.. it will block the IP after the 
> number of attempts you set in the configs. a client of mine wanted 
> simple usernames and passwords to be setup using the keypad on the 
> ipphones.. two months ago they had the same problem you faced.. 400$ to 
> Zimbabway .. and later on 1200$ to Zimbabway.. their provider have a 
> limit of 30 minutes per call .. so the caller had to redial.. unless 
> it's automated.still you can provide us with more info.Regards
> -- Tarek Sawah
>

Well we run local dial tone service in the US Virgin Islands.  So our 
customers are connecting with ATA's, various models of Polycom phones, and 
SIP trunks from a custom PBX we sell to hotels and businesses.  They 
connect from dynamic addresses most of the time, so we cannot apply any IP 
based filters to their accounts, though we may be able to restrict them to 
certain IP blocks.  I'd rather not, since the upkeep would be quite a 
hassle, and would remove their ability to take their ATAs traveling.

Our SIP usernames are their seven digit phone numbers, which may have been 
a bad choice, but most of the brute force attacks we have witnessed are 
trying combinations of 3 digit extension numbers.  I haven't seen anyone 
try a brute force attack with 7 digits.  The passwords are seven char 
auto-generated alpha-numeric "gibberish", and it seems rather unlikely to 
me that this account was broken by brute force trial and error.  I'm still 
investigating other methods... like perhaps they broke into my server 
first and found the provisioning files.  That would be bad.

All of that aside - I know there are various things I can do to tighten up 
our SIP security.

My question was more geared towards what do people do to keep their 
customers or employees from dialing toll numbers worldwide?  I cannot 
restrict my customers to calling a set of countries.  But I would feel 
justified in blocking toll numbers that I don't have a way of billing 
back.  I just don't know where to start to build such a filter list. 
Surely other ITSPs have had to deal with this issue - fraud situations or 
not.  The US is easy - all toll numbers start with 1-900 (I think :). 
Other countries are not so straightforward I understand.

Has anyone else tackled this problem?

Thanks,

j