[asterisk-users] Hacking attempt, Asterisk 1.4
binni at binni.eu
Thu Feb 20 05:27:29 CST 2014
We have an Asterisk server thats been running for a few years now without
problems. We have IPTables running, as well as fail2ban and have followed
all the security recommendations we have found.
Every few weeks we get an attack that lasts about a minute or two, resulting
in our AGI script being overloaded.
What happens is that somebody seems to be trying to connect from our server
in my cdrs log I can see that they use a four digit number for source,
destination and caller id, e.g.
xx.xx.xx.xx is our server IP. When one of our registered users makes a call
the channel is SIP/yyyyyyyy-aaaaaaaa where yyyyyyyy is the SIP user ID.
So it looks like a SIP phone trying to call itself, using our Asterisk
server IP as SIP user name.
Within a couple of minutes the attacker seems to go through some 10000
attempts, resulting in our AGI script collapsing from the load. My Asterisk
full log shows something like:
-- Executing [7321 at sip:1] Answer("SIP/xx.xx.xx.xx-b0828f20", "") in new
-- Executing [7321 at sip:2] AGI("SIP/ xx.xx.xx.xx -b0828f20", "agi://
xx.xx.xx.xx ") in new stack
-- Executing [7321 at sip:3] Hangup("SIP/ xx.xx.xx.xx -b6130f70", "") in
== Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/ xx.xx.xx.xx
> cdr_odbc: Query Successful!
-- AGI Script agi:// xx.xx.xx.xx completed, returning 0
Our AGI script refuses to call illegal numbers, while our Asterisk
dialplan is a bit more accommodating, mostly because I have had problems
figuring out the order in which to put the various rules (I might have
another look at that!)
Does anybody know how to stop this from happening I cant find the
attackers IP number in my logs, and these attacks happen infrequently, and
are over quickly, so that I havent had an opportunity to run sip debug
during an attack, and I dont want to have it running all the time.
Tlf. +45 88321688
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the asterisk-users