[asterisk-users] Interesting attack tonight & fail2ban them

Thu Dec 29 11:27:56 CST 2011

Maybe your logger is not setup properly?! You should get the IP in logs. I
can't think of when you won't get the IP in your logs unless the SIP
packets are manipulated. That IP is from Voxel.net. You don't have a VPS or
service from them do you?

2011/12/29 Michelle Dupuis <mdupuis at ocg.ca>

>  1. I checked the log and I don't see any registration attempt, so I
> *assume* they simply send an invite, and so they are in the
> external/outside context of my dialplan.  So they are trying to reach
> extensions which don't exist.  If they succesfully registered they would be
> on the internal context, and their calls would have succeeded.  (Or am I
> missing something?).  I actually see nothing in the log but the notice (and
> nothing on the CLI but the notice)...so I assume it is only an invite?
>
> 2. I got their IP by turning on SIP DEBUG while they were attacking.
>
> 3. The NOTICE showed a call from '' - what normally goes there?  I can't
> reproduce this NOTICE so I'm not sure what causes it to be recorded.
> Normal calls show "Accepting AUTHENTICATED call from x.x.x.x"
>
> I'm thinking of using SIPCHANINFO and LOG to log the bad attempts, and let
> fail2ban takeover from there.
>
> Thanks
>
>  ------------------------------
> *From:* asterisk-users-bounces at lists.digium.com [
> asterisk-users-bounces at lists.digium.com] On Behalf Of Mikhail Lischuk [
> mlischuk at itx.com.ua]
> *Sent:* Thursday, December 29, 2011 4:14 AM
>
> *To:* Asterisk Users List
> *Subject:* Re: [asterisk-users] Interesting attack tonight & fail2ban them
>
>   Jeroen Eeuwes писал 29.12.2011 07:29:
>
>
>
> Probably my understanding is limited, but it seems to me that they
> have already 'access' to your Asterisk for them to be able to try to
> make outgoing calls. Wouldn't it be better to make sure they get the
> "usual" errors like "Registration from failed - no matching peer
> found"?
>
> In other words, how did they get this far in the first place?
>
> Best regards,
> Jeroen Eeuwes
>
>
>  Agreed. If you didn't get the "Failed to authenticate on INVITE" (or
> whatever error should Asterisk log for not authenticated user trying to
> place a call, I might be wrong here) - your problem is way more serious.
>
> As I can advice you from my wast (despite not always successfull)
> intruders fighting experience - banning by useragent can help. I always
> dreamed of Asterisk to implement that, but until then - if all your users
> are like "Linksys blablabla" or "eyeBeam blablabla" and you see any other
> agent on the Asterisk log - just ban it. Ofcourse, there are 2 limitations:
>
> 1) If he doesnt register, Asterisk wont show his useragent in log. And as
> for yor issue - neither will it show IP. I think we might ask devs to
> correct that some day
>
> 2) if you dont have some standard for user sip devices and they use
> whatever they want to, it wont help either
>
> --
> With Best Regards
> Mikhail Lischuk <mlischuk at itx.com.ua>
>
> ITX Ukraine
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20111229/070eb809/attachment-0001.htm>