<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 20/02/14 11:27, Brynjolfur Thorvardsson wrote:
<blockquote cite="mid:009301cf2e2e$bdd06c00$39714400$@binni.eu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:3.0cm 2.0cm 3.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB">Hi all<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">We have an Asterisk
server that’s been running for a few years now without
problems. We have IPTables running, as well as fail2ban and
have followed all the security recommendations we have
found.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Every few weeks we get
an attack that lasts about a minute or two, resulting in our
AGI script being overloaded. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">What happens is that
somebody seems to be trying to connect from our server – in
my cdrs log I can see that they use a four digit number for
source, destination and caller id, e.g.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">clid: 7321<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">src: 7321<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">dst: 7321<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">channel:
SIP/xx.xx.xx.xx-aaaaaaaa<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">xx.xx.xx.xx is our
server IP. When one of our registered users makes a call the
channel is SIP/yyyyyyyy-aaaaaaaa where yyyyyyyy is the SIP
user ID.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">So it looks like a SIP
phone trying to call itself, using our Asterisk server IP as
SIP user name.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Within a couple of
minutes the attacker seems to go through some 10000
attempts, resulting in our AGI script collapsing from the
load. My Asterisk full log shows something like:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> -- Executing
[7321@<a class="moz-txt-link-freetext" href="sip:1">sip:1</a>] Answer("SIP/xx.xx.xx.xx-b0828f20", "") in new
stack<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> -- Executing
[7321@<a class="moz-txt-link-freetext" href="sip:2">sip:2</a>] AGI("SIP/ xx.xx.xx.xx -b0828f20", "agi://
xx.xx.xx.xx ") in new stack<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> -- Executing
[7321@<a class="moz-txt-link-freetext" href="sip:3">sip:3</a>] Hangup("SIP/ xx.xx.xx.xx -b6130f70", "") in new
stack<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> == Spawn extension
(sip, 7321, 3) exited non-zero on 'SIP/ xx.xx.xx.xx
-b6130f70'<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> > cdr_odbc:
Query Successful!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> -- AGI Script agi://
xx.xx.xx.xx completed, returning 0<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Our AGI script refuses
to call “illegal” numbers, while our Asterisk dialplan is a
bit more accommodating, mostly because I have had problems
figuring out the order in which to put the various rules (I
might have another look at that!)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Does anybody know how to
stop this from happening – I can’t find the attackers IP
number in my logs, and these attacks happen infrequently,
and are over quickly, so that I haven’t had an opportunity
to run sip debug during an attack, and I don’t want to have
it running all the time.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Best regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Binni<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:DA"
lang="EN-GB">Brynjólfur Þorvarðsson<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:DA"
lang="EN-GB">IT Consultant<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:DA"
lang="EN-GB">Tlf. +45 88321688<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
I have this in my extensions.conf :-<br>
<br>
[default]<br>
; all unauthenticated connection attempts from the internet come in
here.<br>
exten => _[+*#0-9].,1,NoOp(Unauthenticated call attempt -
${SIP_HEADER(Contact)})<br>
exten => _[+*#0-9].,n,Congestion<br>
<br>
Then in fail2ban I have the extra line added to the failregex so it
is now :-<br>
<br>
failregex = Registration from .* failed for \'<HOST>\' - Wrong
password <br>
Registration from .* failed for \'<HOST>\' - No
matching <br>
Unauthenticated call attempt .*\@<HOST>\:<br>
<br>
That seems to work pretty well for me. Assuming the attacks are
unauthenticated why are you accepting them and running an AGI script
and not rejecting them earlier?<br>
If you need to allow anonymous inbound calls (which is required in
some cases) then I would have the AGI detect them and write an
output to verbose() with the SIP_HEADER(Contact) or any other header
which correctly indicated the origin of the packet.<br>
</body>
</html>