We took a pretty nasty hit one time, a system administrator didnt listen to us about changing the passwords. Luckily they took part of the blame in that, and we split the 1800$ it cost us in half. We could have changed them, and she didnt change them, so we were both at fault. <br>
<br>Like said previously, fail2ban is a pretty good start. Weak secrets definitely dont help.<br><br>An interesting project to look into and i'm working with right now, i've got a honeypot set up in the wild, but havent gotten anything really worth while yet...<br>
<br><a href="http://www.infiltrated.net/voipabuse/defensive.html">http://www.infiltrated.net/voipabuse/defensive.html</a><br><br>I'd also suggest, if you dont *have* to have international dialing on the trunk. Turn it off, put a pin on it, or just send it to a dummy trunk that doesnt do anything or route anywhere.<br>
<br>I really hope this helps, and best of luck with cleaning up from the aftermath. I know ours was a pretty good wake up call to us to really start locking things down.<br><br>I know its lame, but from Network Security Hacks.<br>
<br><h2><font size="2">Security isn't a noun, it's a verb; not a product, but a process</font></h2><br>--Matt<br><br><br><div class="gmail_quote">On Fri, Oct 15, 2010 at 11:50 AM, Jeff LaCoursiere <span dir="ltr"><<a href="mailto:jeff@sunfone.com">jeff@sunfone.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div></div><div class="h5">On Fri, 2010-10-15 at 11:20 -0400, Steve Totaro wrote:<br>
<br>
> This is nothing new. Trunk to trunk transfers and other exploits<br>
> could be used on old school phone systems to do the same thing.<br>
><br>
> I would start with getting the current balance, if over $10k call the<br>
> FBI, call them anyways, it couldn't hurt. You want the Feds to check<br>
> things out before local police if possible.<br>
><br>
> Gather as much info as possible, along with police and FBI case<br>
> numbers and then call the carrier and see what can be done.<br>
><br>
> A friend of mine took what was supposed to be my one month rotation to<br>
> Iraq. I had too much going on to be in Iraq for a month and a half<br>
> and had taken the last rotation so it wasn't even my turn.<br>
><br>
> The phone bill came for his cell (company provided on Asia Cell) for<br>
> $4k in just a couple weeks. It turns out that he was not using the<br>
> cell and one of the cleaning people stole his SIM.<br>
><br>
> After contacting Asia Cell a few times about the matter, they credited<br>
> the whole amount back. So you never know.<br>
><br>
> As for security, I assume you need to allow these extensions to<br>
> register from outside the LAN? If not, then only allow them to<br>
> register via a LAN IP, I would do it with iptables, only allow the<br>
> provider IP through.<br>
><br>
> I am curious what your user:pass was? something like 1000:1000, I see<br>
> many systems setup like this and am surprised they haven't been hit<br>
> yet.<br>
><br>
> In the future, you could use a scheme that makes it much more secure<br>
> and also pretty easy to maintain.<br>
><br>
> The username could be the MAC and the pass could be the serial number<br>
> or asset tags if you use them.<br>
><br>
> I know there must be dozens of people reading this that have had the<br>
> same issue but are embarrassed to speak up.<br>
><br>
<br>
</div></div>Thanks Steve - that is the kind of advice I was looking for. I'm<br>
willing to take my lumps for the weak passwords on those accounts, and<br>
the lack of any filtering. I do understand the issues and the steps I<br>
need to take to better secure the switches in service, and just need to<br>
get off my a$$ and do it.<br>
<br>
Mainly I am hoping to hear from someone who has gone through the<br>
aftermath - as you mention above. So far I have had a discussion with<br>
the carrier who is "opening an investigation". I'll contact the FBI<br>
today as well. I'll send an update when this is all over for posterity.<br>
<div class="im"><br>
<br>
> (BTW Sierra Leone is in West Africa, not the Middle East.)<br>
><br>
<br>
</div>True ;) Most of the calls were Iraq, UAE, Lebanon... Found another one<br>
today that was 2.5 DAYS long to Chile. Bizarre.<br>
<div><div></div><div class="h5"><br>
j<br>
<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</div></div></blockquote></div><br>