Hi,<br><br>there are several possibilities do to it<br><br>REGISTER Username/Extensions Enumeration<br>INVITE Username/Extensions Enumeration<br>OPTION Username/Extensions Enumeration<br><br>for more information:<br><a href="http://www.hackingvoip.com/presentations/sample_chapter3_hacking_voip.pdf">http://www.hackingvoip.com/presentations/sample_chapter3_hacking_voip.pdf</a><br>
<br>rich...<br><br><br><div class="gmail_quote">On Thu, Nov 19, 2009 at 12:46 AM, Rasmus Männa <span dir="ltr"><<a href="mailto:asterisk@razu.pri.ee">asterisk@razu.pri.ee</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div text="#000000" bgcolor="#ffffff">
Hi All,<br>
<br>
I must say that there are many ways to detect password attack cause
this information actually goes into logs and it's possible to analyze
them. Couple of hours thinking + day or 2 creating gives a really nice
result. Bad thing is that by the time someone will start guessing
password with dictionary attack or brute force (it doesn't matter) he
already knows what is the account name/ID. <br>
<br>
All this leads me to question which is (from my point of view) a bit
more important. Is there any way to detect SIP/IAX account guessing
without actually dumping UDP flow ? I tried some _hacking_ tools and
these create only some logs in debug mode. Using debug is not always an
option cause in some cases it creates ~5MB log in a minute - such flow
is quite impossible to handle.<br>
<br>
Does anyone have any experience catching account guessing attempts
automatically ? Any kind of ideas would be wonderful :)<br>
<br>
thx a lot,<br><font color="#888888">
--<br>
razu</font><div><div></div><div class="h5"><br>
<br>
On 11/18/2009 10:01 PM, Ioan Indreias wrote:
<blockquote type="cite">
<div>Hello Xavier,</div>
<div><br>
</div>
<div>Unfortunately we are not aware of any Asterisk configuration
which will protect against of a brute force attack on SIP. </div>
<div><br>
</div>
We use BFD - <a href="http://www.rfxn.com/projects/brute-force-detection/" target="_blank">http://www.rfxn.com/projects/brute-force-detection/</a> .
<div><br>
</div>
<div>We have found first details here: <a href="http://engineertim.com/?cat=15" target="_blank">http://engineertim.com/?cat=15</a> and
we are currently maintaining 4 rules (SIP and IAX) . All of them could
be downloaded from here: <a href="http://www.modulo.ro/Modulo/downloads/tools/tenora.bfd.tar.gz" target="_blank">http://www.modulo.ro/Modulo/downloads/tools/tenora.bfd.tar.gz</a>
<div><br>
</div>
<div>We have tried to document the installation of BFD on an Asterisk
server here: <a href="http://www.modulo.ro/Modulo/ro/Articole/Securitate_pentru_servere_Asterisk.html" target="_blank">http://www.modulo.ro/Modulo/ro/Articole/Securitate_pentru_servere_Asterisk.html</a> (in
Romanian)</div>
<div><br>
</div>
<div><br>
</div>
<div>HTH,</div>
<div>Ioan (Nini) Indreias</div>
<div><a href="http://www.modulo.ro" target="_blank">www.modulo.ro</a></div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On Mon, Nov 16, 2009 at 7:24 PM, TDF <span dir="ltr"><<a href="mailto:aja101561@gmail.com" target="_blank">aja101561@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">fail2ban<br>
<br>
<a href="http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk" target="_blank">http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk</a><br>
<br>
<br>
<div class="gmail_quote">2009/11/16 Xavier Mesquida <span dir="ltr"><<a href="mailto:xavimes@yahoo.com" target="_blank">xavimes@yahoo.com</a>></span>
<div><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; font-size: inherit; line-height: inherit; font-size-adjust: inherit; font-stretch: inherit;" valign="top">Has Asterisk any protection against brute force attack
for SIP authentication?<br>
Something like a maximum login attempt limit <br>
Thanks<br>
<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
</div>
</div>
<br>
<br>
_______________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a>
--<br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a></pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br>