Thanks Gordon for your suggestions and advices. I changed the passwords same day, and was monitoring my system very closely. I also use a non standard port for SSH, and also plan to move my SIP port to a non standard one too in future. At this time things are ok, but I know that this problem is growing very fast, and hackers are after VoIP servers because they can do so much with them. I had to present a seminar few weeks ago on VoIP Security Threats, and while doing my own research, I was shocked to know how hackers are misusing VoIP technology. We definitely need to come up with some really good and effective solutions against these threats.<br>
<br><div class="gmail_quote">-- <br>Zeeshan A Zakaria<br><br>On Tue, Mar 24, 2009 at 2:01 PM, Roderick A. Anderson <span dir="ltr"><<a href="mailto:raanders@cyber-office.net">raanders@cyber-office.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im"><br>
<br>
Wilton Helm wrote:<br>
> If life were only that simple. A lot of hacking passes through<br>
> unsuspecting intermediary computers, precisely to hide their tracks, not<br>
> to mention IP spoofing. People have offered for sale access to 10,000<br>
> computers to use for propagating mischief. That's a lot of IPs to block!<br>
><br>
> I got hacked about six months ago. They came in through SSH and figured<br>
> out roots password, which was a concatenation of two English words. I<br>
> presume they did a dictionary search.<br>
<br>
</div>I used to get hit very hard with these type of attacks (hundreds to<br>
thousands per day) on 25-30 servers until I added some iptables rules to<br>
REJECT the offending IP for 5 minutes after three unsuccessful attempts<br>
in 60 seconds. The attacks typically have dropped to less than five per<br>
day.<br>
<br>
This means those that need access don't need to make _odd_ changes to<br>
standard programs' setting and the rules do allow a whitelisting of<br>
specific IPs.<br>
<br>
<br>
\\||/<br>
Rod<br>
<font color="#888888">--<br>
</font><div class="im">> Then they changed the password,<br>
> replaced some key files and launched a denial of service attack against<br>
> somebody (including compiling the program on my machine)!<br>
><br>
> I traced the IP address to a Comcast customer in Indiana or something<br>
> and notified Comcast, but haven't heard anything. Probably their<br>
> customer never even knew it happened--it was probably a hijacked situation.<br>
><br>
> Prior to that I had been logging hundreds of robotic attacks a day that<br>
> were unsuccessful!<br>
><br>
> I re-installed everything and changed my SSH to a non-standard port and<br>
> used a more robust password. I haven't had a single hack attempt the<br>
> four months since. For my purposes, I don't really need SSH on a<br>
> standard port. That made all the difference in the world.<br>
><br>
> Two areas that have had large hacker presences in the past: Russia and<br>
> China. A lot of E-Mail spam originates in those two areas, also. I've<br>
> considered blocking the entire host domain for any provider generating<br>
> spam from those regions, as I have no legitimate business need to<br>
> correspond with people in those regions in general. However, I suspect<br>
> it might block messages from a few users on this list, and I know it<br>
> would block at least one user from another list I am on.<br>
><br>
> Wilton<br>
><br>
><br>
><br>
</div>> ------------------------------------------------------------------------<br>
<div><div></div><div class="h5">><br>
> _______________________________________________<br>
> -- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
><br>
> asterisk-users mailing list<br>
> To UNSUBSCRIBE or update options visit:<br>
> <a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
<br>
_______________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</div></div></blockquote></div><br>