[asterisk-users] Hacking attempt, Asterisk 1.4

Gareth Blades mailinglist+asterisk at dns99.co.uk
Thu Feb 20 06:28:01 CST 2014

On 20/02/14 11:27, Brynjolfur Thorvardsson wrote:
> Hi all
> We have an Asterisk server that's been running for a few years now 
> without problems. We have IPTables running, as well as fail2ban and 
> have followed all the security recommendations we have found.
> Every few weeks we get an attack that lasts about a minute or two, 
> resulting in our AGI script being overloaded.
> What happens is that somebody seems to be trying to connect from our 
> server -- in my cdrs log I can see that they use a four digit number 
> for source, destination and caller id, e.g.
> clid: 7321
> src: 7321
> dst: 7321
> channel: SIP/xx.xx.xx.xx-aaaaaaaa
> xx.xx.xx.xx is our server IP. When one of our registered users makes a 
> call the channel is SIP/yyyyyyyy-aaaaaaaa where yyyyyyyy is the SIP 
> user ID.
> So it looks like a SIP phone trying to call itself, using our Asterisk 
> server IP as SIP user name.
> Within a couple of minutes the attacker seems to go through some 10000 
> attempts, resulting in our AGI script collapsing from the load. My 
> Asterisk full log shows something like:
>     -- Executing [7321 at sip:1] Answer("SIP/xx.xx.xx.xx-b0828f20", "") 
> in new stack
>     -- Executing [7321 at sip:2] AGI("SIP/ xx.xx.xx.xx -b0828f20", 
> "agi:// xx.xx.xx.xx ") in new stack
>     -- Executing [7321 at sip:3] Hangup("SIP/ xx.xx.xx.xx -b6130f70", "") 
> in new stack
>   == Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/ 
> xx.xx.xx.xx -b6130f70'
> > cdr_odbc: Query Successful!
>     -- AGI Script agi:// xx.xx.xx.xx completed, returning 0
> Our AGI script refuses to call "illegal" numbers, while our Asterisk 
> dialplan is a bit more accommodating, mostly because I have had 
> problems figuring out the order in which to put the various rules (I 
> might have another look at that!)
> Does anybody know how to stop this from happening -- I can't find the 
> attackers IP number in my logs, and these attacks happen infrequently, 
> and are over quickly, so that I haven't had an opportunity to run sip 
> debug during an attack, and I don't want to have it running all the time.
> Best regards
> Binni
> Brynjólfur Þorvarðsson
> IT Consultant
> Tlf. +45 88321688

I have this in my extensions.conf :-

; all unauthenticated connection attempts from the internet come in here.
exten => _[+*#0-9].,1,NoOp(Unauthenticated call attempt - 
exten => _[+*#0-9].,n,Congestion

Then in fail2ban I have the extra line added to the failregex so it is 
now :-

failregex = Registration from .* failed for \'<HOST>\' - Wrong password
             Registration from .* failed for \'<HOST>\' - No matching
             Unauthenticated call attempt .*\@<HOST>\:

That seems to work pretty well for me. Assuming the attacks are 
unauthenticated why are you accepting them and running an AGI script and 
not rejecting them earlier?
If you need to allow anonymous inbound calls (which is required in some 
cases) then I would have the AGI detect them and write an output to 
verbose() with the SIP_HEADER(Contact) or any other header which 
correctly indicated the origin of the packet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140220/e2767628/attachment.html>

More information about the asterisk-users mailing list