Here's what fail2ban service caught<br><br>The IP 89.111.184.221 has just been banned by Fail2Ban after<br>
80 attempts against ASTERISK.<br>
<br><br><br><br><div class="gmail_quote">On Wed, Apr 8, 2009 at 7:01 PM, Tilghman Lesher <span dir="ltr"><<a href="mailto:tilghman@mail.jeffandtilghman.com">tilghman@mail.jeffandtilghman.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Tuesday 07 April 2009 11:28:52 Tilghman Lesher wrote:<br>
> The recent vulnerability had nothing to do with this, but with the ability<br>
> of an attacker to scan a SIP server for legitimate usernames and passwords.<br>
> This, by the way, merely took advantage of the SIP protocol, as written.<br>
> Normally, SIP allows you to differentiate between invalid usernames (404)<br>
> and invalid passwords (403). What we closed in the recent vulnerability<br>
> patch was to allow administrators to send back 403, regardless of whether<br>
> the username existed or not.<br>
<br>
</div>By the way, I am VASTLY oversimplifying the return codes here for the sake of<br>
clarity. The actual return code is based upon a number of factors, but it is<br>
modeled to return the same responses as would a bad password with a legitimate<br>
user account (thus making it impossible, externally, to tell the difference<br>
between a legitimate user account and a non-existent user account).<br>
<div><div></div><div class="h5"><br>
--<br>
Tilghman<br>
<br>
_______________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</div></div></blockquote></div><br>