[asterisk-users] Attack on Sip server.

Michelle Dupuis mdupuis at ocg.ca
Fri Jun 27 10:18:45 CDT 2014


If you have a small Asterisk installation install the free version of SecAst:

http://www.voip-info.org/wiki/view/SecAst+(Asterisk+Intrusion+Detection+and+Prevention)


For general Asterisk security info check this out:

http://www.voip-info.org/wiki/view/Asterisk+security


-=Michelle=-


All opinions posted are my own, and do not necessarily reflect those of my employer.  As an employee of GenerationD my opions are serious biased :)


________________________________
From: asterisk-users-bounces at lists.digium.com <asterisk-users-bounces at lists.digium.com> on behalf of Anurag Rana <anuragrana31189 at gmail.com>
Sent: Friday, June 27, 2014 10:49 AM
To: Prakash N
Cc: Asterisk Users List
Subject: Re: [asterisk-users] Attack on Sip server.

I added bot rules TCP as well as UDP.  Still not working.

How changing SIP listen port will prevent it. Please explain.

I will try fail2band.


On Fri, Jun 27, 2014 at 8:16 PM, Prakash N <prakash.n at tevatel.com<mailto:prakash.n at tevatel.com>> wrote:
Hi,

Install fail2band and change sip listen port to avoid attack

With regards

N.Prakash
________________________________
From: Anurag Rana<mailto:anuragrana31189 at gmail.com>
Sent: ?27-?06-?2014 08:07 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion<mailto:asterisk-users at lists.digium.com>
Subject: [asterisk-users] Attack on Sip server.


Hi All.

Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.
I used wireshark to capture the packets.

Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.

I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.


iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP

?Its something like this

Registration from '"30" <sp:30 at my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password?

?and there are approx 10 request per minute of this type.

Please suggest some way to stop this.?


--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.





--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140627/90398615/attachment.html>


More information about the asterisk-users mailing list