<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <font size="+1">Changing from 5060 is very effective.<br>
      Sure, someone with the knowledge could try all the ports IF they
      know you are even running SIP, but it certainly will stop most of
      these idiots . <br>
      <br>
      That along with fail2ban, not using numbers for device user names
      all will help.<br>
      <br>
      Using IAX where possible also can be very effective<br>
      <br>
      John Novack<br>
    </font>
    <div class="moz-cite-prefix">Steve Murphy wrote:<br>
    </div>
    <blockquote
cite="mid:CAPPCp8FRV6oe1Nokv-ecT4sYGc9qzh2KkqxAkB_g9b+0iQYPYw@mail.gmail.com"
      type="cite">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <br>
          <div class="gmail_quote">On Sat, Jan 18, 2014 at 3:59 PM,
            Steve Edwards <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:asterisk.org@sedwards.com" target="_blank">asterisk.org@sedwards.com</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div class="im">On Sat, 18 Jan 2014, Jerry Geis wrote:<br>
                <br>
              </div>
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">
                <div class="im">
                  I see MANY of these in my log files:<br>
                  <br>
                  [Jan 15 03:06:12] NOTICE[14129] chan_sip.c:
                  Registration from '"202" <sip:202@X:5060>'
                  failed for '<a moz-do-not-send="true"
                    href="http://37.8.12.147:26832" target="_blank">37.8.12.147:26832</a>'
                  - Wrong password<br>
                  <br>
                </div>
                <div class="im">
                  What is the "correct" way to block these idiots so
                  they<br>
                  don't even get this far.<br>
                </div>
              </blockquote>
              <br>
              Use iptables to allow packets from your legitimate users,
              block everybody else.<br>
              <br>
              If you are dealing with a mobile user base or an extensive
              geographic area, at least block the countries where you do
              not expect traffic -- North Korea, China, xxxistan, etc.<br>
              <br>
              Drop these at the front door (90% of the problem) and use
              fail2ban to pick off the rest.<span class="HOEnZb"></span></blockquote>
            <div class="gmail_default" style="font-family:courier
              new,monospace;display:inline">
              <br>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">​I see a problem here;
                firstly that it is no longer so simple to determine<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">
                the IP ranges of countries. Things have been fractured
                quite a bit; you<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">might have to hire out a
                service to determine true geographic origination.<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">Even then, if your service
                is a little behind, you might occasionally<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">
                feel the displeasure of users unable to talk to your
                servers. How will you<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">handle this, with a
                white-list? How much effort will you end up committing<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">to keeping your whitelist
                up to date?<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">
                <br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">Nextly, the well-financed
                operations running such probes need not use<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">
                machines in their native countries. There are plenty of
                US-based <br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace;display:inline">machines that can be ( and
                are ) compromised. ​</div>
               <br>
              <br>
              <div class="gmail_default" style="font-family:courier
                new,monospace">​In other words, don't forget the
                fail2ban part!<br>
                <br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace">Here's another idea! How about changing
                your port from 5060 to something<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace">different, maybe 7067 or some other
                number that is not popularly being used?<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace">
                You'll provision your phones to use this port, and the
                scanners will not<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace">find you. Seems a much simpler
                solution... but there are some drawbacks...<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace">can anyone think of them? And will these
                drawbacks matter to you? And, given<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace">
                this solution, will the odds that a scanner might find
                your machine be so low,<br>
                that it is not worth using something like fail2ban to
                override them? Food<br>
                for thought!<br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace">
                <br>
              </div>
              <div class="gmail_default" style="font-family:courier
                new,monospace">murf<br>
                <br>
              </div>
            </div>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex"><span
                class="HOEnZb"></span></blockquote>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex"><span
                class="HOEnZb"></span></blockquote>
          </div>
          -- <br>
          <div dir="ltr"><br>
            Steve Murphy<br>
            ParseTree Corporation<br>
            57 Lane 17<br>
            Cody, WY 82414<br>
            ✉  murf at parsetree dot com<br>
            ☎ 307-899-5535<br>
            <br>
            <br>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="10000">-- 

Dog is my Co-pilot</pre>
  </body>
</html>