<p>I don't k know if there is a tool to sniff passwords, but did you check in /va/log/asterisk/full? Maybe wireshark can be used for this purpose, but it'll be not that straight forward.</p>
<p>Interestingly I checked log of my server and found out that I was also under attack yesterday by an Amazon cloud server, IP 184.73.53.22. Thanks to fail2ban the IP was blocked. But I guess I am now used to these attacks as it is a routine now and so far fail2ban is working fine for me. But my server (and now yours too) is in some hackers list of "asterisk favourites" and will keep getting under attack.</p>
<p>I'll now send an email to Amazon.<br></p>
<p>Zeeshan A Zakaria</p>
<p>--<br>
Sent from my Android phone with K-9 Mail.</p>
<p><blockquote type="cite">On 2010-04-11 9:42 AM, "Norbert Zawodsky" <<a href="mailto:norbert@zawodsky.at">norbert@zawodsky.at</a>> wrote:<br><br>Hello to everyone!<br>
<br>
Same here (Vienna, Austria).<br>
<br>
I had this attack yesterday 6am (local time) from IP 216.105.128.63<br>
<br>
whois 216.105.128.63 returns:<br>
<br>
OrgName: Globalvision<br>
OrgID: ACSIN-3<br>
Address: 78 Global Drive<br>
Address: Suite 101<br>
City: Greenville<br>
StateProv: SC<br>
PostalCode: 29607<br>
Country: US<br>
<br>
NetRange: 216.105.128.0 - 216.105.159.255<br>
CIDR: <a href="http://216.105.128.0/19" target="_blank">216.105.128.0/19</a><br>
NetName: ACSINC-BLK-1<br>
NetHandle: NET-216-105-128-0-1<br>
Parent: NET-216-0-0-0-0<br>
NetType: Direct Allocation<br>
NameServer: <a href="http://NS1.ACSINC.NET" target="_blank">NS1.ACSINC.NET</a><br>
NameServer: <a href="http://NS2.ACSINC.NET" target="_blank">NS2.ACSINC.NET</a><br>
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE<br>
RegDate: 1998-10-19<br>
Updated: 2004-12-08<br>
<br>
OrgTechHandle: HOSTM560-ARIN<br>
OrgTechName: Hostmaster<br>
OrgTechPhone: +1-864-467-1333<br>
OrgTechEmail: <a href="mailto:hostmaster@acsinc.net">hostmaster@acsinc.net</a><br>
<br>
In my case, the attack started at 05:57:45.<br>
<br>
Asterisk: 1.2.12.1<br>
<br>
They sent 14.288 Register requests trying some "common" users like<br>
"test,admin,sip,user,123,1234," and so on.<br>
Then they started just counting up from user "0"<br>
(0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,.....) and this way, they found<br>
valid users until 05:59:09 which is 1 minute and 24 seconds or 170<br>
Registers/second<br>
<br>
After that, they started to send 66.267 registers until 06:24:08 only<br>
with the "found" users with random password combinations. 66.267 reg /<br>
1.499 seconds = 44 regs/second<br>
<br>
A classic "brute force attack". Interesting that the password attacks<br>
came slower than the userid attacks...<br>
<br>
At 6:24:23 asterisk obviously crashed because there wered no more log<br>
entries. I noticed the incident because my office phone number was not<br>
reachable when I tried in the morning.<br>
<br>
My phones (SNOMs) all are on the same LAN within a 192.168.X.X adress<br>
range. I wonder if everything would become a little bit more secure if<br>
define them with "host=192.168.X.X" in sip.conf instead of<br>
"host=dynamic". I tried it as a quick shot but it didn't work as they<br>
still try to register. Does someone know if this was possible and<br>
where/how to configure it on the snom side?<br>
<br>
greetings,<br>
<font color="#888888">Norbert<br>
</font><p><font color="#500050"><br>-- <br>_____________________________________________________________________<br>-- Bandwidth and Colocati...</font></p></blockquote></p>