[asterisk-users] PBX hacked: why hundred of calls to the same number ?
Chris Bagnall
asterisk at lists.minotaur.cc
Fri Oct 3 13:11:07 CDT 2014
On 3/10/14 6:52 pm, Rainer Piper wrote:
> the attacking server changed the destination Number at 18:53 CEST and
> he is still blocked ... LOL
> 972597438354 <callto:00972597438354>
It's pretty much an everyday occurrence for any internet-connected SIP
system these days...
> Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking
> IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354
Many of these attacks come from fairly easily recognised user-agent
strings, so if you fancy doing a bit of packet inspection with your
firewall, you can block many of these before they get as far as your SIP
server(s) themselves.
For example, the sipcli scans you listed above can be blocked fairly
easily with:
iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string
"sipcli" -j DROP
(obviously there are overheads to string searching UDP/5060 packets that
you'll want to consider, and the above won't work if you're using sipcli
legitimately anywhere on your network)
Kind regards,
Chris
--
This email is made from 100% recycled electrons
More information about the asterisk-users
mailing list