Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.
Exactly. If one's external access control is set correctly, you should basically never see any outside attack traffic at your Asterisk box (you've see it in the firewall logs instead). Following the concept of "least privileges" is where you should start if you have Asterisk attached to a SIP service you pay for. If you have one SIP provider, the only IP address (or IP pool/range) that should talk to your Asterisk box from outside your firewall is exclusively the servers of your SIP provider. Everything else should be "dropped" (no response at all). Google "GRC Shields Up" and run that free port scanner to see what you have open, closed or what they call "stealth" (dropped). If a firewall is setup correctly, port 5060 should appear "stealth" from any IP address other than your service provider. You can also Shodan yourself: "https://www.shodan.io/host{yourPublicIP}; - but Shodan doesn't tell you whether the packets are dropped or rejected. In general you want your public IP to only show services on Shodan that you intend every random request to get access to - for example a public web server on port 80 and 443. It's a good idea to review these resources often (once a quarter, once a month, once a week - your choice), especially after any software or hardware changes on your network. You may find something has been misconfigured at installation, that you would need to address. Best -Tim On Fri, Apr 21, 2017 at 9:53 AM, Victor Villarrealwrote: > Hi David, Tim, > > Try to use Bail2Ban at last resort. Fail2Ban is a ractive approach, that > permit the traffinc AND ONLY BLOCK them after certain level triggered. > > > Use iptables to block the unused services faced to public networks like > Internet. And configure these services properly, so they listen only > selected interfaces and IPs, and not from 0.0.0.0 > > 2017-04-21 13:47 GMT-03:00 Tim S : > >> Is that IP in your network or outside (I can ping it so I'm guessing it's >> outside your network)? Do you have a firewall between your asterisk box >> and the internet? Is there a WHITELIST of IP addresses that only allow >> your provider's limited IP pool to connect to your asterisk box from >> outside? >> >> If you are getting TFTP requests hitting your Asterisk box, they are not >> properly being filtered at your firewall - ftp and tftp are considered >> insecure communication methods, that port (69 I think) should be closed on >> your firewall unless you have a really good reason to have it opened (and >> unless you run a public FTP site, THERE IS NO GOOD REASON). >> >> Fail2Ban is a BLACKLIST method, blacklists are most effective after good >> network hygiene is implemented, as you drastically limit the pool of >> potential bad actors with a whitelist. >> >> Best, >> >> -Tim >> >> On Fri, Apr 21, 2017 at 9:38 AM, Dovid Bender >> wrote: >> >>> This is old news. They use Shodan and then try to connect. Set up >>> Fail2Ban that say after 10 404's to ban the IP. >>> >>> >>> On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis >>> wrote: >>> I "justed" happened to look at /var/log/messages... I saw: Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename 0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found 0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename 0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found 0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename 0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found 0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename 0004f2034f6e.cfg so basically an sequential read of polycom MAC address config files. Some is trying to read to determine if I have any polycom files just sequential read after read. And if so - it would get any extension and password at that time. Luckily I have none. However - how does one block attempts like this ? Thanks! Jerry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users >>> >>> >>> -- >>> _ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> >>> Check out the new Asterisk community forum at: >>>
Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.
Hi David, Tim, Try to use Bail2Ban at last resort. Fail2Ban is a ractive approach, that permit the traffinc AND ONLY BLOCK them after certain level triggered. Use iptables to block the unused services faced to public networks like Internet. And configure these services properly, so they listen only selected interfaces and IPs, and not from 0.0.0.0 2017-04-21 13:47 GMT-03:00 Tim S: > Is that IP in your network or outside (I can ping it so I'm guessing it's > outside your network)? Do you have a firewall between your asterisk box > and the internet? Is there a WHITELIST of IP addresses that only allow > your provider's limited IP pool to connect to your asterisk box from > outside? > > If you are getting TFTP requests hitting your Asterisk box, they are not > properly being filtered at your firewall - ftp and tftp are considered > insecure communication methods, that port (69 I think) should be closed on > your firewall unless you have a really good reason to have it opened (and > unless you run a public FTP site, THERE IS NO GOOD REASON). > > Fail2Ban is a BLACKLIST method, blacklists are most effective after good > network hygiene is implemented, as you drastically limit the pool of > potential bad actors with a whitelist. > > Best, > > -Tim > > On Fri, Apr 21, 2017 at 9:38 AM, Dovid Bender wrote: > >> This is old news. They use Shodan and then try to connect. Set up >> Fail2Ban that say after 10 404's to ban the IP. >> >> >> On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis >> wrote: >> >>> I "justed" happened to look at /var/log/messages... >>> >>> I saw: >>> Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename >>> 0004f2034f6b.cfg >>> Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found >>> 0004f2034f6b.cfg >>> Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename >>> 0004f2034f6c.cfg >>> Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found >>> 0004f2034f6c.cfg >>> Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename >>> 0004f2034f6d.cfg >>> Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found >>> 0004f2034f6d.cfg >>> Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename >>> 0004f2034f6e.cfg >>> >>> so basically an sequential read of polycom MAC address config files. >>> Some is trying to read to determine if I have any polycom files just >>> sequential read after read. >>> And if so - it would get any extension and password at that time. >>> Luckily I have none. >>> >>> However - how does one block attempts like this ? >>> >>> Thanks! >>> >>> Jerry >>> >>> -- >>> _ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> >>> Check out the new Asterisk community forum at: >>> https://community.asterisk.org/ >>> >>> New to Asterisk? Start here: >>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>>http://lists.digium.com/mailman/listinfo/asterisk-users >>> >> >> >> -- >> _ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >>http://lists.digium.com/mailman/listinfo/asterisk-users >> > > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > -- GnuPG Key ID: 0x39BCA9D8 https://www.github.com/mefhigoseth ...:::[ God Rulz ! ]:::... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.
Is that IP in your network or outside (I can ping it so I'm guessing it's outside your network)? Do you have a firewall between your asterisk box and the internet? Is there a WHITELIST of IP addresses that only allow your provider's limited IP pool to connect to your asterisk box from outside? If you are getting TFTP requests hitting your Asterisk box, they are not properly being filtered at your firewall - ftp and tftp are considered insecure communication methods, that port (69 I think) should be closed on your firewall unless you have a really good reason to have it opened (and unless you run a public FTP site, THERE IS NO GOOD REASON). Fail2Ban is a BLACKLIST method, blacklists are most effective after good network hygiene is implemented, as you drastically limit the pool of potential bad actors with a whitelist. Best, -Tim On Fri, Apr 21, 2017 at 9:38 AM, Dovid Benderwrote: > This is old news. They use Shodan and then try to connect. Set up Fail2Ban > that say after 10 404's to ban the IP. > > > On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis wrote: > >> I "justed" happened to look at /var/log/messages... >> >> I saw: >> Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename >> 0004f2034f6b.cfg >> Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found >> 0004f2034f6b.cfg >> Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename >> 0004f2034f6c.cfg >> Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found >> 0004f2034f6c.cfg >> Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename >> 0004f2034f6d.cfg >> Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found >> 0004f2034f6d.cfg >> Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename >> 0004f2034f6e.cfg >> >> so basically an sequential read of polycom MAC address config files. >> Some is trying to read to determine if I have any polycom files just >> sequential read after read. >> And if so - it would get any extension and password at that time. >> Luckily I have none. >> >> However - how does one block attempts like this ? >> >> Thanks! >> >> Jerry >> >> -- >> _ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >>http://lists.digium.com/mailman/listinfo/asterisk-users >> > > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.
Hi, Jerry, I don't know what S.O. you have in the Server, but you can check the man page (https://linux.die.net/man/8/in.tftpd) for tftpd and use the options --address, so you can tell tftp from what interface/port this service listen request. >From the IP in your logs (69.64.57.18) the request came from a web hosting provider (http://www.heg.com/). So, the request came from Internet, so your server listen TFTP request from outside, what is bad. You can use iptables in any Linux distro to block incoming TFTP traffic. TFTP is a UDP protocol at port 69. Example: /sbin/iptables -A INPUT -i eth0 -p udp --destination-port 69 -j DROP Change eth0 to the correct name of your public internet server interface. 2017-04-21 13:27 GMT-03:00 Jerry Geis: > I "justed" happened to look at /var/log/messages... > > I saw: > Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename > 0004f2034f6b.cfg > Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found > 0004f2034f6b.cfg > Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename > 0004f2034f6c.cfg > Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found > 0004f2034f6c.cfg > Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename > 0004f2034f6d.cfg > Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found > 0004f2034f6d.cfg > Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename > 0004f2034f6e.cfg > > so basically an sequential read of polycom MAC address config files. > Some is trying to read to determine if I have any polycom files just > sequential read after read. > And if so - it would get any extension and password at that time. > Luckily I have none. > > However - how does one block attempts like this ? > > Thanks! > > Jerry > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > -- GnuPG Key ID: 0x39BCA9D8 https://www.github.com/mefhigoseth ...:::[ God Rulz ! ]:::... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.
This is old news. They use Shodan and then try to connect. Set up Fail2Ban that say after 10 404's to ban the IP. On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geiswrote: > I "justed" happened to look at /var/log/messages... > > I saw: > Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename > 0004f2034f6b.cfg > Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found > 0004f2034f6b.cfg > Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename > 0004f2034f6c.cfg > Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found > 0004f2034f6c.cfg > Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename > 0004f2034f6d.cfg > Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found > 0004f2034f6d.cfg > Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename > 0004f2034f6e.cfg > > so basically an sequential read of polycom MAC address config files. > Some is trying to read to determine if I have any polycom files just > sequential read after read. > And if so - it would get any extension and password at that time. > Luckily I have none. > > However - how does one block attempts like this ? > > Thanks! > > Jerry > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.
From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Jerry Geis Sent: Friday, April 21, 2017 12:28 PM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users@lists.digium.com> Subject: [asterisk-users] Hack attempt sequential config file read looking for valid files. I "justed" happened to look at /var/log/messages... I saw: Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename 0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found 0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename 0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found 0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename 0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found 0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename 0004f2034f6e.cfg so basically an sequential read of polycom MAC address config files. Some is trying to read to determine if I have any polycom files just sequential read after read. And if so - it would get any extension and password at that time. Luckily I have none. However - how does one block attempts like this ? Thanks! Jerry Jerry, Can you change to FTP Provisioning, or HTTPS etc? Atleast with FTP you can set a user/pass to your directory with mac.cfg to prevent open access. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Hack attempt sequential config file read looking for valid files.
I "justed" happened to look at /var/log/messages... I saw: Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename 0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found 0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename 0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found 0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename 0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found 0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename 0004f2034f6e.cfg so basically an sequential read of polycom MAC address config files. Some is trying to read to determine if I have any polycom files just sequential read after read. And if so - it would get any extension and password at that time. Luckily I have none. However - how does one block attempts like this ? Thanks! Jerry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Hack
Hi John, do you have a line in your sip.conf saying match_auth_username=yes ? It needs to be in the general context or (I think) inside the peer configuration. I need to use this with user based auth, don't know if it's mandatory for IP based auth also. Greetings, Max signature.asc Description: OpenPGP digital signature -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Hack
On 18 Oct 2013, at 04:06, John T. Bittner j...@xaccel.net wrote: Today I was hacked but caught it very quickly. This is the weird part, they hacked an IP Auth based account by simply knowing the account name. How is this possible? I am running Asterisk 11.5.0. Now it’s my fault I used a dictionary based account name but how did they bypass the set ip I had under the account for this host. Did the IP show under sip show peer xxx? If it's realtime it's possible to set it and need to prune it / sip reload. Steve-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Hack
Hi Steve, Not using real-time. John From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Steven Howes Sent: Friday, October 18, 2013 4:30 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Hack On 18 Oct 2013, at 04:06, John T. Bittner j...@xaccel.netmailto:j...@xaccel.net wrote: Today I was hacked but caught it very quickly. This is the weird part, they hacked an IP Auth based account by simply knowing the account name. How is this possible? I am running Asterisk 11.5.0. Now it's my fault I used a dictionary based account name but how did they bypass the set ip I had under the account for this host. Did the IP show under sip show peer xxx? If it's realtime it's possible to set it and need to prune it / sip reload. Steve Teach Canit xAntispam if this mail is spam: Spamhttp://mx1.xantispam.net/canit/b.php?i=02KCwuuL7m=23b89b978a34c=s Not spamhttp://mx1.xantispam.net/canit/b.php?i=02KCwuuL7m=23b89b978a34c=n Forget previous votehttp://mx1.xantispam.net/canit/b.php?i=02KCwuuL7m=23b89b978a34c=f -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Hack
On 10/17/13 23:06, John T. Bittner wrote: Today I was hacked but caught it very quickly. This is the weird part, they hacked an IP Auth based account by simply knowing the account name. How is this possible? I am running Asterisk 11.5.0. Now it’s my fault I used a dictionary based account name but how did they bypass the set ip I had under the account for this host. Any chance your sip peer was configured like this? [accountname] host=10.9.8.7 Without seeing your settings it's quite difficult to come up with accurate possibilities of what happened. The above example will allow *all* ip addresses with no password!. Because there is no permit+deny (you need to use both) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Hack
Today I was hacked but caught it very quickly. This is the weird part, they hacked an IP Auth based account by simply knowing the account name. How is this possible? I am running Asterisk 11.5.0. Now it's my fault I used a dictionary based account name but how did they bypass the set ip I had under the account for this host. This also happened with fail2ban running and I pay for Humbug . Nothing caught it. Its just chance that I happen to be in the CLI and noticed it. In a span of 30 minutes they had made over $200 worth of calls all to the same number . Anyone have any idea on this and any ideas on preventing this. John Bittner CTO [cid:image003.png@01CECB8D.765B3840] 380 US Highway 46, Suite 500 Totowa, NJ 07512 Phone: 201.806.2602 x2405 Fax: 201.806.2604 Cell: 973.390.1090 www.xaccel.nethttp://www.xaccel.net/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information which should not be shared or forwarded. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the e-mail. inline: image003.png-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] Hack for Canadian weather
[your-context] include = app-canadian-weather [app-canadian-weather] exten = *55,1,Answer() exten = *55,2,Playback(pls-wait-connect-call) exten = *55,3,System(/etc/asterisk/weather.sh | text2wave -o /var/lib/asterisk/sounds/weather.ulaw -otype ulaw -) exten = *55,4,Playback(weather) /etc/asterisk/weather.sh: rm -f /var/lib/asterisk/sounds/weather.ulaw rm -f /etc/asterisk/textforecast_e.html?Bulletin=fcpn16.cwwg wget -q http://weatheroffice.ec.gc.ca/forecast/textforecast_e.html?Bulletin=fcpn16.c wwg grep -A5 City of Edmonton textforecast_e.html?Bulletin=fcpn16.cwwg ___ --Bandwidth and Colocation sponsored by Easynews.com -- Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] Hack to make * - (H323) - CCM - IOS GW work
The hack below is for OpenH323, not Asterisk. This is not an Asterisk problem AFAICT. I am posting it here so that any other Asterisk user with a similar problem might benefit from it. I may or may not post it to an OpenH323 list, but since both variants of the H.323 channel in Asterisk use non-current OpenH323 versions, it may not be of any benefit to anyone anytime soon if I went that route! I've not checked newer OpenH323 source to see if the hack below can be shifted into the application either. I've been messing with the companys CCM PBX, which has an IOS based gateway box with a PRI behind it, and talking to it from my * box with H.323. For the most part it works. It's in Lonodn UK, I'm (currently) in Boston, MA, USA. It's all VPNed. People being able to call me has made working remotely that much easier. However, placing outgoing calls that went via the GW had issues - if they weren't answered within a few milliseconds of ringing, then the call would fail - sometimes you'd get one way audio, sometimes none at all, and the GW or the CCM always sent a RELEASE within a few seconds, even if not answered. If you answered the call quckly, within ms of ringing, the call worked fine. Any other call (ie, that didn't use the PSTN gateway for outgoing calls) would work fine too, which was the most baffling. Even incoming via the PSTN gateway were fine. The chan_h323 in CVS and chan_oh323 both exhibited the same behaviour. I'd come accross a number of message in Mantis, this lists archives and by googling in general suggesting that H.323 via CCM Cisco GWs and other combinations of Cisco and H.323 don't work, have less functionality, need faststart, needs faststart disabled, needs other things doing to it and generally won't be fixed without money, etc etc. So I spent some time pouring over traces, and noticed one difference between calls that were answered unreasonably quickly and those not. After the call has been setup and the H.323 neighbors have exchanged their capabilities, a few tens of ms pass, and then the CCM sends an openlogicalchannel, so it can pass the audio of the ringing. However, when answered, the CCM/GW doesn't send back any open message indicating its RTP address/port. If you answer it early - the channel messages work as expected in both directions, and thus it works. So I hunted down an option to make the CCM not do this. And (eventually) came across mediaWaitForConnect in the OpenH323 source. It's not something you can change easily from client applications that I can see, but doing this: --- h323.cxx.old2004-07-23 16:04:45.109780688 -0400 +++ h323.cxx2004-07-23 16:04:49.577950415 -0400 @@ -2797,6 +2797,8 @@ if (hasVideoOrData) setupPDU.GetQ931().SetBearerCapabilities(Q931::TransferUnrestrictedDigital, 6); + setup.m_mediaWaitForConnect = TRUE; + if (!OnSendSignalSetup(setupPDU)) return EndedByNoAccept; and rebuilding the OpenH323 libraries made my problem go away. The CCM doesn't insist on trying to send me any audio until the call is answered, and when answered the audio streams in both directions get setup as expected. Hopefully someone here will point out an easy way to set this option from ast_h323.cpp or something - while my C voodoo is strong, C++ is just foo to me. YMMV. Cheers, Chris. -- == [EMAIL PROTECTED] ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Hack to make * - (H323) - CCM - IOS GW work
Chris Luke wrote: The chan_h323 in CVS and chan_oh323 both exhibited the same behaviour. I have setup chan_h323 to talk to CCM without any trouble, after someone informed me we had to override the External RTP object, which is part of cvs -head now. I highly doubt the obsolete -stable has it. Try again. Jeremy McNamara ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] Hack to make * - (H323) - CCM - IOS GW work
Jeremy McNamara wrote (on Jul 24): Chris Luke wrote: The chan_h323 in CVS and chan_oh323 both exhibited the same behaviour. I have setup chan_h323 to talk to CCM without any trouble, after someone informed me we had to override the External RTP object, which is part of cvs -head now. I highly doubt the obsolete -stable has it. I'm running HEAD, dilligently updating at least once a day. It still requires your overrided RTP object since the GW RTP endpoint is on a different address. It works with CCM without my hack, provided I don't try to place a call that routes via the GW behind CCM. It could well be a tweakable on CCM too, but I only have so much access to it and didn't find such a thing. Basically, without this hack, or if the call is not answered ms after it begins to ring, the CCM never ever sends me an openLogicalChannelAck, which means I never get told to send my RTP to the GW. We send the openLogicalChannel message - it doesn't get answered. And in any case, there's no point the CCM/GW sending me ringing audio, since rtp.c will ignore it until there's a far end RTP address to reciprocate to - and which h323 doesn't ask for until after it's answered. Chris. -- == [EMAIL PROTECTED] ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users