On 20/02/14 11:27, Brynjolfur Thorvardsson wrote:
Hi all
We have an Asterisk server that's been running for a few years now
without problems. We have IPTables running, as well as fail2ban and
have followed all the security recommendations we have found.
Every few weeks we get an attack that lasts about a minute or two,
resulting in our AGI script being overloaded.
What happens is that somebody seems to be trying to connect from our
server -- in my cdrs log I can see that they use a four digit number
for source, destination and caller id, e.g.
clid: 7321
src: 7321
dst: 7321
channel: SIP/xx.xx.xx.xx-aaaaaaaa
xx.xx.xx.xx is our server IP. When one of our registered users makes a
call the channel is SIP/yyyyyyyy-aaaaaaaa where yyyyyyyy is the SIP
user ID.
So it looks like a SIP phone trying to call itself, using our Asterisk
server IP as SIP user name.
Within a couple of minutes the attacker seems to go through some 10000
attempts, resulting in our AGI script collapsing from the load. My
Asterisk full log shows something like:
-- Executing [7321@sip:1] Answer("SIP/xx.xx.xx.xx-b0828f20", "")
in new stack
-- Executing [7321@sip:2] AGI("SIP/ xx.xx.xx.xx -b0828f20",
"agi:// xx.xx.xx.xx ") in new stack
-- Executing [7321@sip:3] Hangup("SIP/ xx.xx.xx.xx -b6130f70", "")
in new stack
== Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/
xx.xx.xx.xx -b6130f70'
> cdr_odbc: Query Successful!
-- AGI Script agi:// xx.xx.xx.xx completed, returning 0
Our AGI script refuses to call "illegal" numbers, while our Asterisk
dialplan is a bit more accommodating, mostly because I have had
problems figuring out the order in which to put the various rules (I
might have another look at that!)
Does anybody know how to stop this from happening -- I can't find the
attackers IP number in my logs, and these attacks happen infrequently,
and are over quickly, so that I haven't had an opportunity to run sip
debug during an attack, and I don't want to have it running all the time.
Best regards
Binni
Brynjólfur Þorvarðsson
IT Consultant
Tlf. +45 88321688
I have this in my extensions.conf :-
[default]
; all unauthenticated connection attempts from the internet come in here.
exten => _[+*#0-9].,1,NoOp(Unauthenticated call attempt -
${SIP_HEADER(Contact)})
exten => _[+*#0-9].,n,Congestion
Then in fail2ban I have the extra line added to the failregex so it is
now :-
failregex = Registration from .* failed for \'<HOST>\' - Wrong password
Registration from .* failed for \'<HOST>\' - No matching
Unauthenticated call attempt .*\@<HOST>\:
That seems to work pretty well for me. Assuming the attacks are
unauthenticated why are you accepting them and running an AGI script and
not rejecting them earlier?
If you need to allow anonymous inbound calls (which is required in some
cases) then I would have the AGI detect them and write an output to
verbose() with the SIP_HEADER(Contact) or any other header which
correctly indicated the origin of the packet.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
