[asterisk-users] Hack attempt sequential config file read looking for valid files.
Dovid Bender
dovid at telecurve.com
Fri Apr 21 11:38:18 CDT 2017
This is old news. They use Shodan and then try to connect. Set up Fail2Ban
that say after 10 404's to ban the IP.
On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis <jerry.geis at gmail.com> wrote:
> I "justed" happened to look at /var/log/messages...
>
> I saw:
> Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename
> 0004f2034f6b.cfg
> Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found
> 0004f2034f6b.cfg
> Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename
> 0004f2034f6c.cfg
> Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found
> 0004f2034f6c.cfg
> Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename
> 0004f2034f6d.cfg
> Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found
> 0004f2034f6d.cfg
> Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename
> 0004f2034f6e.cfg
>
> so basically an sequential read of polycom MAC address config files.
> Some is trying to read to determine if I have any polycom files just
> sequential read after read.
> And if so - it would get any extension and password at that time.
> Luckily I have none.
>
> However - how does one block attempts like this ?
>
> Thanks!
>
> Jerry
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.
> org/
>
> New to Asterisk? Start here:
> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170421/655329a6/attachment.html>
More information about the asterisk-users
mailing list