<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font size="+1">Changing from 5060 is very effective.<br>
Sure, someone with the knowledge could try all the ports IF they
know you are even running SIP, but it certainly will stop most of
these idiots . <br>
<br>
That along with fail2ban, not using numbers for device user names
all will help.<br>
<br>
Using IAX where possible also can be very effective<br>
<br>
John Novack<br>
</font>
<div class="moz-cite-prefix">Steve Murphy wrote:<br>
</div>
<blockquote
cite="mid:CAPPCp8FRV6oe1Nokv-ecT4sYGc9qzh2KkqxAkB_g9b+0iQYPYw@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sat, Jan 18, 2014 at 3:59 PM,
Steve Edwards <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:asterisk.org@sedwards.com" target="_blank">asterisk.org@sedwards.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Sat, 18 Jan 2014, Jerry Geis wrote:<br>
<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">
I see MANY of these in my log files:<br>
<br>
[Jan 15 03:06:12] NOTICE[14129] chan_sip.c:
Registration from '"202" <sip:202@X:5060>'
failed for '<a moz-do-not-send="true"
href="http://37.8.12.147:26832" target="_blank">37.8.12.147:26832</a>'
- Wrong password<br>
<br>
</div>
<div class="im">
What is the "correct" way to block these idiots so
they<br>
don't even get this far.<br>
</div>
</blockquote>
<br>
Use iptables to allow packets from your legitimate users,
block everybody else.<br>
<br>
If you are dealing with a mobile user base or an extensive
geographic area, at least block the countries where you do
not expect traffic -- North Korea, China, xxxistan, etc.<br>
<br>
Drop these at the front door (90% of the problem) and use
fail2ban to pick off the rest.<span class="HOEnZb"></span></blockquote>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">
<br>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">I see a problem here;
firstly that it is no longer so simple to determine<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">
the IP ranges of countries. Things have been fractured
quite a bit; you<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">might have to hire out a
service to determine true geographic origination.<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">Even then, if your service
is a little behind, you might occasionally<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">
feel the displeasure of users unable to talk to your
servers. How will you<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">handle this, with a
white-list? How much effort will you end up committing<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">to keeping your whitelist
up to date?<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">
<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">Nextly, the well-financed
operations running such probes need not use<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">
machines in their native countries. There are plenty of
US-based <br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace;display:inline">machines that can be ( and
are ) compromised. </div>
<br>
<br>
<div class="gmail_default" style="font-family:courier
new,monospace">In other words, don't forget the
fail2ban part!<br>
<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace">Here's another idea! How about changing
your port from 5060 to something<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace">different, maybe 7067 or some other
number that is not popularly being used?<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace">
You'll provision your phones to use this port, and the
scanners will not<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace">find you. Seems a much simpler
solution... but there are some drawbacks...<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace">can anyone think of them? And will these
drawbacks matter to you? And, given<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace">
this solution, will the odds that a scanner might find
your machine be so low,<br>
that it is not worth using something like fail2ban to
override them? Food<br>
for thought!<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace">
<br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace">murf<br>
<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="HOEnZb"></span></blockquote>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="HOEnZb"></span></blockquote>
</div>
-- <br>
<div dir="ltr"><br>
Steve Murphy<br>
ParseTree Corporation<br>
57 Lane 17<br>
Cody, WY 82414<br>
✉ murf at parsetree dot com<br>
☎ 307-899-5535<br>
<br>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="10000">--
Dog is my Co-pilot</pre>
</body>
</html>