[asterisk-users] Is there a public blacklist of hackers' IP addresses?

Gordon Henderson gordon+asterisk at drogon.net
Tue Mar 24 08:07:40 CDT 2009 

On Tue, 24 Mar 2009, Zeeshan Zakaria wrote:

> I am not really sure, but apparently they guessed a SIP username/password.
> But what I don't understand is they even though I deleted that extension all
> together, still 'sip show peers' showed that extension. Then I figured out
> an easy to guess manager user and password, which I also deleted. I think it
> all started from the manager user/password and they created an extension on
> the server which 'sip show peers' would show as offline but would be making
> calls successfully.
>
> The IPs I had to block so far are:
>
> 213.136.96.104

Africa

> 88.151.100.167

Hungary

> 85.17.141.101

Holland

> 212.34.138.12

Spain.

You can use the 'whois' command to find this out, and use iptables to 
block them - unless you think your customers are actually in those 
countries.

But get your passwords fixed and firewall the manager interface - I don't 
think anyone ought to be accessing it from random remote hosts at all.

The easiest way it to start by blocking everything from everywhere, then 
open up what you need. So leave the manger port blocked, but open SIP and 
RTP ports. (and IAX if you use it). Open SSH only from your own network 
and so on.

And change all your passwords. Now.

If you want a sample set of iptables, then look at:

   http://unicorn.drogon.net/firewall

This is a shell-script. Do not blindly run it without reading and 
understanding it, or you might get cut-off yourself, especially if this is 
a box in a rmote data centre! If you do use it, you'll need to create 2 
files /etc/network/blockSites (can be empty), and /etc/network/allowSites. 
Eg. my allowSites file has

81.31.100.104/29

Which is my home/office LAN.

That script, while not perfect in any sense might make a good starting 
point.

If you are logging stuff too, you might want to run syslog in non fflush 
mode - else a really detemrined hacker/port scanner will reduce the 
server to a crawl as it logs each one to disk, line at a time.

Good luck,

Gordon


>
> On Tue, Mar 24, 2009 at 5:55 AM, Gordon Henderson <
> gordon+asterisk at drogon.net <gordon%2Basterisk at drogon.net>> wrote:
>
>> On Mon, 23 Mar 2009, Zeeshan Zakaria wrote:
>>
>>> Hi,
>>>
>>> In last one week I have seen two servers of our organization successfully
>>> hacked and some other under attack from some other IP addresses. We would
>>> block one IP address on our firewall and after a few hours, they would
>> start
>>> getting hits from some another IP address. When I checked them on
>> whois.net,
>>> they all were from Amsterdam. Surprisingly, I once had similar attack in
>> the
>>> past and it was also from an Amsterdam IP address. And they all blong to
>> one
>>> same organization.
>>>
>>> Seems like somebody in Amsterdam is really active in trying to hack
>> asterisk
>>> servers around the world.
>>
>> Are you willing to share details of the hack? Eg. Did they gain root
>> access to the server? Did they exploit a bug in the web server to run
>> code? Did they guess SIP username/password combinarions? Or something
>> else?
>>
>> Gordon
>>
>> _______________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
>
>
> -- 
> Zeeshan A Zakaria
>

More information about the asterisk-users mailing list