[asterisk-users] Is there a public blacklist of hackers' IPaddresses?

Gordon Henderson gordon+asterisk at drogon.net
Thu Mar 26 04:33:12 CDT 2009


On Wed, 25 Mar 2009, Zeeshan Zakaria wrote:

> Thanks Gordon for your suggestions and advices. I changed the passwords same
> day, and was monitoring my system very closely. I also use a non standard
> port for SSH, and also plan to move my SIP port to a non standard one too in
> future. At this time things are ok, but I know that this problem is growing
> very fast, and hackers are after VoIP servers because they can do so much
> with them. I had to present a seminar few weeks ago on VoIP Security
> Threats, and while doing my own research, I was shocked to know how hackers
> are misusing VoIP technology. We definitely need to come up with some really
> good and effective solutions against these threats.

There are other more advanced things you can do with iptables which I've 
been looking at - but the esence is to count/time new connections to a 
particular service from each IP address and if more connections per unit 
of time happen, then apply a temporary block for a bigger period of time.

This works for ssh when you know there are only a small number of people 
who might connect in, but for SIP, you need to check the timings 
carefully, although one thing I've had issues with is Snom phones which 
seem to be overly enthusiastic when the end-user has the wrong password in 
them - they keep trying to register 2 or 3 times a second )-:

Gordon



  >
> -- 
> Zeeshan A Zakaria
>
> On Tue, Mar 24, 2009 at 2:01 PM, Roderick A. Anderson <
> raanders at cyber-office.net> wrote:
>
>>
>>
>> Wilton Helm wrote:
>>> If life were only that simple.  A lot of hacking passes through
>>> unsuspecting intermediary computers, precisely to hide their tracks, not
>>> to mention IP spoofing.  People have offered for sale access to 10,000
>>> computers to use for propagating mischief.  That's a lot of IPs to block!
>>>
>>> I got hacked about six months ago.  They came in through SSH and figured
>>> out roots password, which was a concatenation of two English words.  I
>>> presume they did a dictionary search.
>>
>> I used to get hit very hard with these type of attacks (hundreds to
>> thousands per day) on 25-30 servers until I added some iptables rules to
>> REJECT the offending IP for 5 minutes after three unsuccessful attempts
>> in 60 seconds.  The attacks typically have dropped to less than five per
>> day.
>>
>> This means those that need access don't need to make _odd_ changes to
>> standard programs' setting and the rules do allow a whitelisting of
>> specific IPs.
>>
>>
>> \\||/
>> Rod
>> --
>>> Then they changed the password,
>>> replaced some key files and launched a denial of service attack against
>>> somebody (including compiling the program on my machine)!
>>>
>>> I traced the IP address to a Comcast customer in Indiana or something
>>> and notified Comcast, but haven't heard anything.  Probably their
>>> customer never even knew it happened--it was probably a hijacked
>> situation.
>>>
>>> Prior to that I had been logging hundreds of robotic attacks a day that
>>> were unsuccessful!
>>>
>>> I re-installed everything and changed my SSH to a non-standard port and
>>> used a more robust password.  I haven't had a single hack attempt the
>>> four months since.  For my purposes, I don't really need SSH on a
>>> standard port.  That made all the difference in the world.
>>>
>>> Two areas that have had large hacker presences in the past:  Russia and
>>> China.  A lot of E-Mail spam originates in those two areas, also.  I've
>>> considered blocking the entire host domain for any provider generating
>>> spam from those regions, as I have no legitimate business need to
>>> correspond with people in those regions in general.  However, I suspect
>>> it might block messages from a few users on this list, and I know it
>>> would block at least one user from another list I am on.
>>>
>>> Wilton
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>    http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>> _______________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>



More information about the asterisk-users mailing list