[asterisk-users] stopping unwanted attempts

John Novack jnovack at stromberg-carlson.org
Sun Jan 19 09:02:30 CST 2014


Changing from 5060 is very effective.
Sure, someone with the knowledge could try all the ports IF they know you are even running SIP, but it certainly will stop most of these idiots .

That along with fail2ban, not using numbers for device user names all will help.

Using IAX where possible also can be very effective

John Novack
Steve Murphy wrote:
>
>
>
> On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards <asterisk.org at sedwards.com <mailto:asterisk.org at sedwards.com>> wrote:
>
>     On Sat, 18 Jan 2014, Jerry Geis wrote:
>
>         I see MANY of these in my log files:
>
>         [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '"202" <sip:202 at X:5060>' failed for '37.8.12.147:26832 <http://37.8.12.147:26832>' - Wrong password
>
>         What is the "correct" way to block these idiots so they
>         don't even get this far.
>
>
>     Use iptables to allow packets from your legitimate users, block everybody else.
>
>     If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc.
>
>     Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest.
>
>
> I see a problem here; firstly that it is no longer so simple to determine
> the IP ranges of countries. Things have been fractured quite a bit; you
> might have to hire out a service to determine true geographic origination.
> Even then, if your service is a little behind, you might occasionally
> feel the displeasure of users unable to talk to your servers. How will you
> handle this, with a white-list? How much effort will you end up committing
> to keeping your whitelist up to date?
>
> Nextly, the well-financed operations running such probes need not use
> machines in their native countries. There are plenty of US-based
> machines that can be ( and are ) compromised.
>
>
> In other words, don't forget the fail2ban part!
>
> Here's another idea! How about changing your port from 5060 to something
> different, maybe 7067 or some other number that is not popularly being used?
> You'll provision your phones to use this port, and the scanners will not
> find you. Seems a much simpler solution... but there are some drawbacks...
> can anyone think of them? And will these drawbacks matter to you? And, given
> this solution, will the odds that a scanner might find your machine be so low,
> that it is not worth using something like fail2ban to override them? Food
> for thought!
>
> murf
>
> -- 
>
> Steve Murphy
> ParseTree Corporation
> 57 Lane 17
> Cody, WY 82414
> ?  murf at parsetree dot com
> ? 307-899-5535
>
>
>
>

-- 

Dog is my Co-pilot

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140119/94242c37/attachment.html>


More information about the asterisk-users mailing list