Re: [asterisk-users] Interesting attack tonight fail2ban them

[Mikhail Lischuk]

 

Jeroen Eeuwes писал 29.12.2011 07:29: 

 Probably my
understanding is limited, but it seems to me that they
 have already
'access' to your Asterisk for them to be able to try to
 make outgoing
calls. Wouldn't it be better to make sure they get the
 usual errors
like Registration from failed - no matching peer
 found?
 
 In
other words, how did they get this far in the first place?
 
 Best
regards,
 Jeroen Eeuwes

Agreed. If you didn't get the Failed to
authenticate on INVITE (or whatever error should Asterisk log for not
authenticated user trying to place a call, I might be wrong here) - your
problem is way more serious. 

As I can advice you from my wast (despite
not always successfull) intruders fighting experience - banning by
useragent can help. I always dreamed of Asterisk to implement that, but
until then - if all your users are like Linksys blablabla or eyeBeam
blablabla and you see any other agent on the Asterisk log - just ban
it. Ofcourse, there are 2 limitations: 

1) If he doesnt register,
Asterisk wont show his useragent in log. And as for yor issue - neither
will it show IP. I think we might ask devs to correct that some day 

2)
if you dont have some standard for user sip devices and they use
whatever they want to, it wont help either 

-- 
With Best
Regards
Mikhail Lischuk

ITX Ukraine

 --
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Interesting attack tonight fail2ban them

[Michelle Dupuis]

1. I checked the log and I don't see any registration attempt, so I *assume* 
they simply send an invite, and so they are in the external/outside context of 
my dialplan.  So they are trying to reach extensions which don't exist.  If 
they succesfully registered they would be on the internal context, and their 
calls would have succeeded.  (Or am I missing something?).  I actually see 
nothing in the log but the notice (and nothing on the CLI but the notice)...so 
I assume it is only an invite?

2. I got their IP by turning on SIP DEBUG while they were attacking.

3. The NOTICE showed a call from '' - what normally goes there?  I can't 
reproduce this NOTICE so I'm not sure what causes it to be recorded.  Normal 
calls show Accepting AUTHENTICATED call from x.x.x.x

I'm thinking of using SIPCHANINFO and LOG to log the bad attempts, and let 
fail2ban takeover from there.

Thanks


From: asterisk-users-boun...@lists.digium.com 
[asterisk-users-boun...@lists.digium.com] On Behalf Of Mikhail Lischuk 
[mlisc...@itx.com.ua]
Sent: Thursday, December 29, 2011 4:14 AM
To: Asterisk Users List
Subject: Re: [asterisk-users] Interesting attack tonight  fail2ban them


Jeroen Eeuwes писал 29.12.2011 07:29:



Probably my understanding is limited, but it seems to me that they
have already 'access' to your Asterisk for them to be able to try to
make outgoing calls. Wouldn't it be better to make sure they get the
usual errors like Registration from failed - no matching peer
found?

In other words, how did they get this far in the first place?

Best regards,
Jeroen Eeuwes



Agreed. If you didn't get the Failed to authenticate on INVITE (or whatever 
error should Asterisk log for not authenticated user trying to place a call, I 
might be wrong here) - your problem is way more serious.

As I can advice you from my wast (despite not always successfull) intruders 
fighting experience - banning by useragent can help. I always dreamed of 
Asterisk to implement that, but until then - if all your users are like 
Linksys blablabla or eyeBeam blablabla and you see any other agent on the 
Asterisk log - just ban it. Ofcourse, there are 2 limitations:

1) If he doesnt register, Asterisk wont show his useragent in log. And as for 
yor issue - neither will it show IP. I think we might ask devs to correct that 
some day

2) if you dont have some standard for user sip devices and they use whatever 
they want to, it wont help either

--
With Best Regards
Mikhail Lischukmailto:mlisc...@itx.com.ua

ITX Ukraine

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Interesting attack tonight fail2ban them

[Bruce B]

Maybe your logger is not setup properly?! You should get the IP in logs. I
can't think of when you won't get the IP in your logs unless the SIP
packets are manipulated. That IP is from Voxel.net. You don't have a VPS or
service from them do you?

2011/12/29 Michelle Dupuis mdup...@ocg.ca

  1. I checked the log and I don't see any registration attempt, so I
 *assume* they simply send an invite, and so they are in the
 external/outside context of my dialplan.  So they are trying to reach
 extensions which don't exist.  If they succesfully registered they would be
 on the internal context, and their calls would have succeeded.  (Or am I
 missing something?).  I actually see nothing in the log but the notice (and
 nothing on the CLI but the notice)...so I assume it is only an invite?

 2. I got their IP by turning on SIP DEBUG while they were attacking.

 3. The NOTICE showed a call from '' - what normally goes there?  I can't
 reproduce this NOTICE so I'm not sure what causes it to be recorded.
 Normal calls show Accepting AUTHENTICATED call from x.x.x.x

 I'm thinking of using SIPCHANINFO and LOG to log the bad attempts, and let
 fail2ban takeover from there.

 Thanks

  --
 *From:* asterisk-users-boun...@lists.digium.com [
 asterisk-users-boun...@lists.digium.com] On Behalf Of Mikhail Lischuk [
 mlisc...@itx.com.ua]
 *Sent:* Thursday, December 29, 2011 4:14 AM

 *To:* Asterisk Users List
 *Subject:* Re: [asterisk-users] Interesting attack tonight  fail2ban them

   Jeroen Eeuwes писал 29.12.2011 07:29:



 Probably my understanding is limited, but it seems to me that they
 have already 'access' to your Asterisk for them to be able to try to
 make outgoing calls. Wouldn't it be better to make sure they get the
 usual errors like Registration from failed - no matching peer
 found?

 In other words, how did they get this far in the first place?

 Best regards,
 Jeroen Eeuwes


  Agreed. If you didn't get the Failed to authenticate on INVITE (or
 whatever error should Asterisk log for not authenticated user trying to
 place a call, I might be wrong here) - your problem is way more serious.

 As I can advice you from my wast (despite not always successfull)
 intruders fighting experience - banning by useragent can help. I always
 dreamed of Asterisk to implement that, but until then - if all your users
 are like Linksys blablabla or eyeBeam blablabla and you see any other
 agent on the Asterisk log - just ban it. Ofcourse, there are 2 limitations:

 1) If he doesnt register, Asterisk wont show his useragent in log. And as
 for yor issue - neither will it show IP. I think we might ask devs to
 correct that some day

 2) if you dont have some standard for user sip devices and they use
 whatever they want to, it wont help either

 --
 With Best Regards
 Mikhail Lischuk mlisc...@itx.com.ua

 ITX Ukraine



 --
 _
 -- Bandwidth and Colocation Provided by http://www.api-digital.com --
 New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

 asterisk-users mailing list
 To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Interesting attack tonight fail2ban them

[Jeroen Eeuwes]

Hi Michelle,

 1. I checked the log and I don't see any registration attempt, so I *assume*
 they simply send an invite, and so they are in the external/outside context
 of my dialplan.  So they are trying to reach extensions which don't exist.
 If they succesfully registered they would be on the internal context, and
 their calls would have succeeded.  (Or am I missing something?).  I actually
 see nothing in the log but the notice (and nothing on the CLI but the
 notice)...so I assume it is only an invite?

Are you saying that you have an external/outside context in which
you have allowguest=yes?

Which version of Asterisk are you running?

Best regards,
Jeroen Eeuwes

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Interesting attack tonight fail2ban them

[Michelle Dupuis]

I just realized there is no IP (host) in the message line, so no way for 
fail2ban to catch it.

Other suggestions?  Or will I have to code something into my dialplan


From: asterisk-users-boun...@lists.digium.com 
[asterisk-users-boun...@lists.digium.com] On Behalf Of Andrew Furey 
[andrew.fu...@gmail.com]
Sent: Wednesday, December 28, 2011 11:37 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] Interesting attack tonight  fail2ban them

On 29 December 2011 12:07, Michelle Dupuis mdup...@ocg.ca wrote:
 I thought that it might be worth adding a line to my fail2ban filter, but am
 looking for a hand with the regex.  I have come up with:
 NOTICE.* .*: Call from '' to extension '.*' rejected because
 extension not found

 but I realize that anyone misdialling a valid extension a few times gets cut
 off. Can someone suggest an improvement?  (How could I limit this to 4 or
 more digits dialled for example?)

[ Caveat - I have never used fail2ban ]

If it supports Perl-style regexps, you could do:

NOTICE.* .*: Call from '' to extension '[0-9]{4,}' rejected because
extension not found

That will do at least 4 digits.

Or the long way (Bash-style etc):

NOTICE.* .*: Call from '' to extension '[0-9][0-9][0-9][0-9][0-9]*'
rejected because extension not found

HTH,
Andrew

--
Linux supports the notion of a command line or a shell for the same
reason that only children read books with only pictures in them.
Language, be it English or something else, is the only tool flexible
enough to accomplish a sufficiently broad range of tasks.
  -- Bill Garrett

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Interesting attack tonight fail2ban them

[Michelle Dupuis]

I happened to be in the cli tonight as some (208.122.57.58) initiated a simple 
attack - just trying to make long distance calls from outside context.  
Although harmless, this went on for several minutes as the idiot just used up 
my bandwidth with SIP messages.  Here's and example:

[2011-12-28 22:53:42] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '6442032987219' rejected because extension not found.
[2011-12-28 22:53:44] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '7442032987216' rejected because extension not found.
[2011-12-28 22:53:46] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '8442032987216' rejected because extension not found.
[2011-12-28 22:53:48] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '008442032987215' rejected because extension not 
found.
[2011-12-28 22:53:50] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '007442032987218' rejected because extension not 
found.
[2011-12-28 22:53:52] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '006442032987219' rejected because extension not 
found.
[2011-12-28 22:53:54] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '005442032987216' rejected because extension not 
found.
[2011-12-28 22:53:56] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: 
Call from '' to extension '004442032987250' rejected because extension not 
found.

I thought that it might be worth adding a line to my fail2ban filter, but am 
looking for a hand with the regex.  I have come up with:
NOTICE.* .*: Call from '' to extension '.*' rejected because 
extension not found

but I realize that anyone misdialling a valid extension a few times gets cut 
off. Can someone suggest an improvement?  (How could I limit this to 4 or more 
digits dialled for example?)

Thanks!
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Interesting attack tonight fail2ban them

[Michelle Dupuis]

Yes fail2ban is working fine.  I did NOT have a filter for the rejected 
because extension not found line yet (I'm still working on it).  Hoping for 
input on the regex.

Thanks

From: asterisk-users-boun...@lists.digium.com 
[asterisk-users-boun...@lists.digium.com] On Behalf Of Carlos Rojas 
[crt.ro...@gmail.com]
Sent: Wednesday, December 28, 2011 11:11 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] Interesting attack tonight  fail2ban them

Hello,

Do you set up, your logrotate in /etc/asterisk ?
Do you test that your fail2ban work fine?

Regards

On Wed, Dec 28, 2011 at 11:07 PM, Michelle Dupuis 
mdup...@ocg.camailto:mdup...@ocg.ca wrote:
I happened to be in the cli tonight as some (208.122.57.58) initiated a simple 
attack - just trying to make long distance calls from outside context.  
Although harmless, this went on for several minutes as the idiot just used up 
my bandwidth with SIP messages.  Here's and example:

[2011-12-28tel:%5B2011-12-28 22:53:42] NOTICE[9635]: chan_sip.c:14035 
handle_request_invite: Call from '' to extension '6442032987219' rejected 
because extension not found.
[2011-12-28tel:%5B2011-12-28 22:53:44] NOTICE[9635]: chan_sip.c:14035 
handle_request_invite: Call from '' to extension '7442032987216' rejected 
because extension not found.
[2011-12-28tel:%5B2011-12-28 22:53:46] NOTICE[9635]: chan_sip.c:14035 
handle_request_invite: Call from '' to extension '8442032987216' rejected 
because extension not found.
[2011-12-28tel:%5B2011-12-28 22:53:48] NOTICE[9635]: chan_sip.c:14035 
handle_request_invite: Call from '' to extension '008442032987215' rejected 
because extension not found.
[2011-12-28tel:%5B2011-12-28 22:53:50] NOTICE[9635]: chan_sip.c:14035 
handle_request_invite: Call from '' to extension '007442032987218' rejected 
because extension not found.
[2011-12-28tel:%5B2011-12-28 22:53:52] NOTICE[9635]: chan_sip.c:14035 
handle_request_invite: Call from '' to extension '006442032987219' rejected 
because extension not found.
[2011-12-28tel:%5B2011-12-28 22:53:54] NOTICE[9635]: chan_sip.c:14035 
handle_request_invite: Call from '' to extension '005442032987216' rejected 
because extension not found.
[2011-12-28tel:%5B2011-12-28 22:53:56] NOTICE[9635]: chan_sip.c:14035 
handle_request_invite: Call from '' to extension '004442032987250' rejected 
because extension not found.

I thought that it might be worth adding a line to my fail2ban filter, but am 
looking for a hand with the regex.  I have come up with:
NOTICE.* .*: Call from '' to extension '.*' rejected because 
extension not found

but I realize that anyone misdialling a valid extension a few times gets cut 
off. Can someone suggest an improvement?  (How could I limit this to 4 or more 
digits dialled for example?)

Thanks!

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Interesting attack tonight fail2ban them

[Andrew Furey]

On 29 December 2011 12:07, Michelle Dupuis mdup...@ocg.ca wrote:
 I thought that it might be worth adding a line to my fail2ban filter, but am
 looking for a hand with the regex.  I have come up with:
     NOTICE.* .*: Call from '' to extension '.*' rejected because
 extension not found

 but I realize that anyone misdialling a valid extension a few times gets cut
 off. Can someone suggest an improvement?  (How could I limit this to 4 or
 more digits dialled for example?)

[ Caveat - I have never used fail2ban ]

If it supports Perl-style regexps, you could do:

NOTICE.* .*: Call from '' to extension '[0-9]{4,}' rejected because
extension not found

That will do at least 4 digits.

Or the long way (Bash-style etc):

NOTICE.* .*: Call from '' to extension '[0-9][0-9][0-9][0-9][0-9]*'
rejected because extension not found

HTH,
Andrew

-- 
Linux supports the notion of a command line or a shell for the same
reason that only children read books with only pictures in them.
Language, be it English or something else, is the only tool flexible
enough to accomplish a sufficiently broad range of tasks.
                          -- Bill Garrett

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Interesting attack tonight fail2ban them

[Carlos Rojas]

Hello,

Do you set up, your logrotate in /etc/asterisk ?
Do you test that your fail2ban work fine?

Regards

On Wed, Dec 28, 2011 at 11:07 PM, Michelle Dupuis mdup...@ocg.ca wrote:

  I happened to be in the cli tonight as some (208.122.57.58) initiated a
 simple attack - just trying to make long distance calls from outside
 context.  Although harmless, this went on for several minutes as the idiot
 just used up my bandwidth with SIP messages.  Here's and example:

 [2011-12-28 22:53:42] NOTICE[9635]: chan_sip.c:14035
 handle_request_invite: Call from '' to extension '6442032987219' rejected
 because extension not found.
 [2011-12-28 22:53:44] NOTICE[9635]: chan_sip.c:14035
 handle_request_invite: Call from '' to extension '7442032987216' rejected
 because extension not found.
 [2011-12-28 22:53:46] NOTICE[9635]: chan_sip.c:14035
 handle_request_invite: Call from '' to extension '8442032987216' rejected
 because extension not found.
 [2011-12-28 22:53:48] NOTICE[9635]: chan_sip.c:14035
 handle_request_invite: Call from '' to extension '008442032987215' rejected
 because extension not found.
 [2011-12-28 22:53:50] NOTICE[9635]: chan_sip.c:14035
 handle_request_invite: Call from '' to extension '007442032987218' rejected
 because extension not found.
 [2011-12-28 22:53:52] NOTICE[9635]: chan_sip.c:14035
 handle_request_invite: Call from '' to extension '006442032987219' rejected
 because extension not found.
 [2011-12-28 22:53:54] NOTICE[9635]: chan_sip.c:14035
 handle_request_invite: Call from '' to extension '005442032987216' rejected
 because extension not found.
 [2011-12-28 22:53:56] NOTICE[9635]: chan_sip.c:14035
 handle_request_invite: Call from '' to extension '004442032987250' rejected
 because extension not found.

 I thought that it might be worth adding a line to my fail2ban filter, but
 am looking for a hand with the regex.  I have come up with:
 NOTICE.* .*: Call from '' to extension '.*' rejected because
 extension not found

 but I realize that anyone misdialling a valid extension a few times gets
 cut off. Can someone suggest an improvement?  (How could I limit this to 4
 or more digits dialled for example?)

 Thanks!

 --
 _
 -- Bandwidth and Colocation Provided by http://www.api-digital.com --
 New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

 asterisk-users mailing list
 To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Interesting attack tonight fail2ban them

[Jeroen Eeuwes]

Hi Michelle,

 I just realized there is no IP (host) in the message line, so no way for 
 fail2ban to catch it.

Probably my understanding is limited, but it seems to me that they
have already 'access' to your Asterisk for them to be able to try to
make outgoing calls. Wouldn't it be better to make sure they get the
usual errors like Registration from failed - no matching peer
found?

In other words, how did they get this far in the first place?

Best regards,
Jeroen Eeuwes

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Interesting attack tonight fail2ban them

[Bruce B]

You mentioned the IP, 208.122.57.58, where did you get that from?

Following are the default for Asterisk 1.8 (It would be great to have
others input on this to strengthen this part of the filter):

failregex = Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' -
Wrong password
Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - No
matching peer found
Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' -
Device does not match ACL
Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' -
Username/auth name mismatch
Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - Peer
is not supposed to register
NOTICE.* HOST failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from HOST)
NOTICE.* .*: Host HOST failed MD5 authentication for '.*' (.*)
VERBOSE.* logger.c: -- .*IP/HOST-.* Playing 'ss-noservice'
(language '.*')


Regards,

On Wed, Dec 28, 2011 at 11:50 PM, Michelle Dupuis mdup...@ocg.ca wrote:

 I just realized there is no IP (host) in the message line, so no way for
 fail2ban to catch it.

 Other suggestions?  Or will I have to code something into my dialplan


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users