<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} .ms-cui-menu {background-color:#ffffff;border:1px rgb(171, 171, 171) solid;font-family:'Segoe UI WPC', 'Segoe UI', Tahoma, 'Microsoft Sans Serif', Verdana, sans-serif;font-size:11pt;color:rgb(51, 51, 51);} .ms-cui-menusection-title {display:none;} .ms-cui-ctl {vertical-align:text-top;text-decoration:none;color:rgb(51, 51, 51);} .ms-cui-ctl-on {background-color:rgb(223, 237, 250);opacity: 0.8;} .ms-cui-img-cont-float {display:inline-block;margin-top:2px} .ms-cui-smenu-inner {padding-top:0px;} .ms-owa-paste-option-icon {margin: 2px 4px 0px 4px;vertical-align:sub;padding-bottom: 2px;display:inline-block;} .ms-rtePasteFlyout-option:hover {background-color:rgb(223, 237, 250) !important;opacity:1 !important;} .ms-rtePasteFlyout-option {padding:8px 4px 8px 4px;outline:none;} .ms-cui-menusection {float:left; width:85px;height:24px;overflow:hidden}--></style>
</head>
<body>
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>There are lots of ways to solve this, and NOT to solve this. Don't start adding lots of rules to iptables (or deep per packet inspection requirements) as this will hurt capacity...and it doesn't really solve the problem<br>
</p>
<p><br>
</p>
<p>Take a look at<br>
</p>
<p><a href="http://www.voip-info.org/wiki/view/Asterisk+security">http://www.voip-info.org/wiki/view/Asterisk+security</a><br>
</p>
<p><br>
</p>
<p>If you are running a small system I recommend trying the free version of SecAst. If you're running a larger PBX, the SecAst GeoIP blocking (deny/allow by country/city/etc) will remove 99% of the attacks.<br>
</p>
<p><br>
</p>
<p>Take a good look at the page above for options...free/paid, software/hardware<br>
</p>
<p><br>
</p>
<p>Michelle<br>
</p>
<p><br>
</p>
<p>*All opinions are my own, and do not represent my employer. Since I'm employed by GenerationD, you can <br>
</p>
<p>bet that my opinions are biased :)<br>
</p>
<p><br>
</p>
<div style="color: #282828;">
<hr tabindex="-1" style="display: inline-block; width: 98%;">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size: 11pt;"><b>From:</b> asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of Rainer Piper <rainer.piper@soho-piper.de><br>
<b>Sent:</b> Friday, October 3, 2014 2:15 PM<br>
<b>To:</b> Asterisk Users List<br>
<b>Subject:</b> Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?</font>
<div> </div>
</div>
<div>
<div class="moz-cite-prefix">Hi Chris,<br>
<br>
yes ... it is boring ...<br>
I stop posting ...<br>
;-)<br>
<br>
<br>
Am 03.10.2014 um 20:11 schrieb Chris Bagnall:<br>
</div>
<blockquote type="cite">On 3/10/14 6:52 pm, Rainer Piper wrote: <br>
<blockquote type="cite">the attacking server changed the destination Number at 18:53 CEST and
<br>
he is still blocked ... LOL <br>
972597438354 <a class="moz-txt-link-rfc2396E" href="callto:00972597438354"><callto:00972597438354></a>
<br>
</blockquote>
<br>
It's pretty much an everyday occurrence for any internet-connected SIP system these days...
<br>
<br>
<blockquote type="cite">Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking
<br>
IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354 <br>
</blockquote>
<br>
Many of these attacks come from fairly easily recognised user-agent strings, so if you fancy doing a bit of packet inspection with your firewall, you can block many of these before they get as far as your SIP server(s) themselves.
<br>
<br>
For example, the sipcli scans you listed above can be blocked fairly easily with:
<br>
iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string "sipcli" -j DROP
<br>
<br>
(obviously there are overheads to string searching UDP/5060 packets that you'll want to consider, and the above won't work if you're using sipcli legitimately anywhere on your network)
<br>
<br>
Kind regards, <br>
<br>
Chris <br>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<b>Rainer Piper</b> <br>
Integration engineer <br>
Koeslinstr. 56 <br>
53123 BONN <br>
GERMANY <br>
Phone: +49 228 97167161 <br>
P2P: <a class="moz-txt-link-freetext" href="sip:rainer@sip.soho-piper.de:5072">sip:rainer@sip.soho-piper.de:5072</a> (pjsip-test)
<br>
XMPP: <a class="moz-txt-link-abbreviated" href="mailto:rainer@xmpp.soho-piper.de">
rainer@xmpp.soho-piper.de</a></div>
</div>
</div>
</div>
</body>
</html>