Re: [asterisk-users] Interesting attack tonight fail2ban them
Jeroen Eeuwes писал 29.12.2011 07:29: Probably my understanding is limited, but it seems to me that they have already 'access' to your Asterisk for them to be able to try to make outgoing calls. Wouldn't it be better to make sure they get the usual errors like Registration from failed - no matching peer found? In other words, how did they get this far in the first place? Best regards, Jeroen Eeuwes Agreed. If you didn't get the Failed to authenticate on INVITE (or whatever error should Asterisk log for not authenticated user trying to place a call, I might be wrong here) - your problem is way more serious. As I can advice you from my wast (despite not always successfull) intruders fighting experience - banning by useragent can help. I always dreamed of Asterisk to implement that, but until then - if all your users are like Linksys blablabla or eyeBeam blablabla and you see any other agent on the Asterisk log - just ban it. Ofcourse, there are 2 limitations: 1) If he doesnt register, Asterisk wont show his useragent in log. And as for yor issue - neither will it show IP. I think we might ask devs to correct that some day 2) if you dont have some standard for user sip devices and they use whatever they want to, it wont help either -- With Best Regards Mikhail Lischuk ITX Ukraine -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Interesting attack tonight fail2ban them
1. I checked the log and I don't see any registration attempt, so I *assume* they simply send an invite, and so they are in the external/outside context of my dialplan. So they are trying to reach extensions which don't exist. If they succesfully registered they would be on the internal context, and their calls would have succeeded. (Or am I missing something?). I actually see nothing in the log but the notice (and nothing on the CLI but the notice)...so I assume it is only an invite? 2. I got their IP by turning on SIP DEBUG while they were attacking. 3. The NOTICE showed a call from '' - what normally goes there? I can't reproduce this NOTICE so I'm not sure what causes it to be recorded. Normal calls show Accepting AUTHENTICATED call from x.x.x.x I'm thinking of using SIPCHANINFO and LOG to log the bad attempts, and let fail2ban takeover from there. Thanks From: asterisk-users-boun...@lists.digium.com [asterisk-users-boun...@lists.digium.com] On Behalf Of Mikhail Lischuk [mlisc...@itx.com.ua] Sent: Thursday, December 29, 2011 4:14 AM To: Asterisk Users List Subject: Re: [asterisk-users] Interesting attack tonight fail2ban them Jeroen Eeuwes писал 29.12.2011 07:29: Probably my understanding is limited, but it seems to me that they have already 'access' to your Asterisk for them to be able to try to make outgoing calls. Wouldn't it be better to make sure they get the usual errors like Registration from failed - no matching peer found? In other words, how did they get this far in the first place? Best regards, Jeroen Eeuwes Agreed. If you didn't get the Failed to authenticate on INVITE (or whatever error should Asterisk log for not authenticated user trying to place a call, I might be wrong here) - your problem is way more serious. As I can advice you from my wast (despite not always successfull) intruders fighting experience - banning by useragent can help. I always dreamed of Asterisk to implement that, but until then - if all your users are like Linksys blablabla or eyeBeam blablabla and you see any other agent on the Asterisk log - just ban it. Ofcourse, there are 2 limitations: 1) If he doesnt register, Asterisk wont show his useragent in log. And as for yor issue - neither will it show IP. I think we might ask devs to correct that some day 2) if you dont have some standard for user sip devices and they use whatever they want to, it wont help either -- With Best Regards Mikhail Lischukmailto:mlisc...@itx.com.ua ITX Ukraine -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Interesting attack tonight fail2ban them
Maybe your logger is not setup properly?! You should get the IP in logs. I can't think of when you won't get the IP in your logs unless the SIP packets are manipulated. That IP is from Voxel.net. You don't have a VPS or service from them do you? 2011/12/29 Michelle Dupuis mdup...@ocg.ca 1. I checked the log and I don't see any registration attempt, so I *assume* they simply send an invite, and so they are in the external/outside context of my dialplan. So they are trying to reach extensions which don't exist. If they succesfully registered they would be on the internal context, and their calls would have succeeded. (Or am I missing something?). I actually see nothing in the log but the notice (and nothing on the CLI but the notice)...so I assume it is only an invite? 2. I got their IP by turning on SIP DEBUG while they were attacking. 3. The NOTICE showed a call from '' - what normally goes there? I can't reproduce this NOTICE so I'm not sure what causes it to be recorded. Normal calls show Accepting AUTHENTICATED call from x.x.x.x I'm thinking of using SIPCHANINFO and LOG to log the bad attempts, and let fail2ban takeover from there. Thanks -- *From:* asterisk-users-boun...@lists.digium.com [ asterisk-users-boun...@lists.digium.com] On Behalf Of Mikhail Lischuk [ mlisc...@itx.com.ua] *Sent:* Thursday, December 29, 2011 4:14 AM *To:* Asterisk Users List *Subject:* Re: [asterisk-users] Interesting attack tonight fail2ban them Jeroen Eeuwes писал 29.12.2011 07:29: Probably my understanding is limited, but it seems to me that they have already 'access' to your Asterisk for them to be able to try to make outgoing calls. Wouldn't it be better to make sure they get the usual errors like Registration from failed - no matching peer found? In other words, how did they get this far in the first place? Best regards, Jeroen Eeuwes Agreed. If you didn't get the Failed to authenticate on INVITE (or whatever error should Asterisk log for not authenticated user trying to place a call, I might be wrong here) - your problem is way more serious. As I can advice you from my wast (despite not always successfull) intruders fighting experience - banning by useragent can help. I always dreamed of Asterisk to implement that, but until then - if all your users are like Linksys blablabla or eyeBeam blablabla and you see any other agent on the Asterisk log - just ban it. Ofcourse, there are 2 limitations: 1) If he doesnt register, Asterisk wont show his useragent in log. And as for yor issue - neither will it show IP. I think we might ask devs to correct that some day 2) if you dont have some standard for user sip devices and they use whatever they want to, it wont help either -- With Best Regards Mikhail Lischuk mlisc...@itx.com.ua ITX Ukraine -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Interesting attack tonight fail2ban them
Hi Michelle, 1. I checked the log and I don't see any registration attempt, so I *assume* they simply send an invite, and so they are in the external/outside context of my dialplan. So they are trying to reach extensions which don't exist. If they succesfully registered they would be on the internal context, and their calls would have succeeded. (Or am I missing something?). I actually see nothing in the log but the notice (and nothing on the CLI but the notice)...so I assume it is only an invite? Are you saying that you have an external/outside context in which you have allowguest=yes? Which version of Asterisk are you running? Best regards, Jeroen Eeuwes -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Interesting attack tonight fail2ban them
I just realized there is no IP (host) in the message line, so no way for fail2ban to catch it. Other suggestions? Or will I have to code something into my dialplan From: asterisk-users-boun...@lists.digium.com [asterisk-users-boun...@lists.digium.com] On Behalf Of Andrew Furey [andrew.fu...@gmail.com] Sent: Wednesday, December 28, 2011 11:37 PM To: Asterisk Users List Subject: Re: [asterisk-users] Interesting attack tonight fail2ban them On 29 December 2011 12:07, Michelle Dupuis mdup...@ocg.ca wrote: I thought that it might be worth adding a line to my fail2ban filter, but am looking for a hand with the regex. I have come up with: NOTICE.* .*: Call from '' to extension '.*' rejected because extension not found but I realize that anyone misdialling a valid extension a few times gets cut off. Can someone suggest an improvement? (How could I limit this to 4 or more digits dialled for example?) [ Caveat - I have never used fail2ban ] If it supports Perl-style regexps, you could do: NOTICE.* .*: Call from '' to extension '[0-9]{4,}' rejected because extension not found That will do at least 4 digits. Or the long way (Bash-style etc): NOTICE.* .*: Call from '' to extension '[0-9][0-9][0-9][0-9][0-9]*' rejected because extension not found HTH, Andrew -- Linux supports the notion of a command line or a shell for the same reason that only children read books with only pictures in them. Language, be it English or something else, is the only tool flexible enough to accomplish a sufficiently broad range of tasks. -- Bill Garrett -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Interesting attack tonight fail2ban them
I happened to be in the cli tonight as some (208.122.57.58) initiated a simple attack - just trying to make long distance calls from outside context. Although harmless, this went on for several minutes as the idiot just used up my bandwidth with SIP messages. Here's and example: [2011-12-28 22:53:42] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '6442032987219' rejected because extension not found. [2011-12-28 22:53:44] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '7442032987216' rejected because extension not found. [2011-12-28 22:53:46] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '8442032987216' rejected because extension not found. [2011-12-28 22:53:48] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '008442032987215' rejected because extension not found. [2011-12-28 22:53:50] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '007442032987218' rejected because extension not found. [2011-12-28 22:53:52] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '006442032987219' rejected because extension not found. [2011-12-28 22:53:54] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '005442032987216' rejected because extension not found. [2011-12-28 22:53:56] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '004442032987250' rejected because extension not found. I thought that it might be worth adding a line to my fail2ban filter, but am looking for a hand with the regex. I have come up with: NOTICE.* .*: Call from '' to extension '.*' rejected because extension not found but I realize that anyone misdialling a valid extension a few times gets cut off. Can someone suggest an improvement? (How could I limit this to 4 or more digits dialled for example?) Thanks! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Interesting attack tonight fail2ban them
Yes fail2ban is working fine. I did NOT have a filter for the rejected because extension not found line yet (I'm still working on it). Hoping for input on the regex. Thanks From: asterisk-users-boun...@lists.digium.com [asterisk-users-boun...@lists.digium.com] On Behalf Of Carlos Rojas [crt.ro...@gmail.com] Sent: Wednesday, December 28, 2011 11:11 PM To: Asterisk Users List Subject: Re: [asterisk-users] Interesting attack tonight fail2ban them Hello, Do you set up, your logrotate in /etc/asterisk ? Do you test that your fail2ban work fine? Regards On Wed, Dec 28, 2011 at 11:07 PM, Michelle Dupuis mdup...@ocg.camailto:mdup...@ocg.ca wrote: I happened to be in the cli tonight as some (208.122.57.58) initiated a simple attack - just trying to make long distance calls from outside context. Although harmless, this went on for several minutes as the idiot just used up my bandwidth with SIP messages. Here's and example: [2011-12-28tel:%5B2011-12-28 22:53:42] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '6442032987219' rejected because extension not found. [2011-12-28tel:%5B2011-12-28 22:53:44] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '7442032987216' rejected because extension not found. [2011-12-28tel:%5B2011-12-28 22:53:46] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '8442032987216' rejected because extension not found. [2011-12-28tel:%5B2011-12-28 22:53:48] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '008442032987215' rejected because extension not found. [2011-12-28tel:%5B2011-12-28 22:53:50] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '007442032987218' rejected because extension not found. [2011-12-28tel:%5B2011-12-28 22:53:52] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '006442032987219' rejected because extension not found. [2011-12-28tel:%5B2011-12-28 22:53:54] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '005442032987216' rejected because extension not found. [2011-12-28tel:%5B2011-12-28 22:53:56] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '004442032987250' rejected because extension not found. I thought that it might be worth adding a line to my fail2ban filter, but am looking for a hand with the regex. I have come up with: NOTICE.* .*: Call from '' to extension '.*' rejected because extension not found but I realize that anyone misdialling a valid extension a few times gets cut off. Can someone suggest an improvement? (How could I limit this to 4 or more digits dialled for example?) Thanks! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Interesting attack tonight fail2ban them
On 29 December 2011 12:07, Michelle Dupuis mdup...@ocg.ca wrote: I thought that it might be worth adding a line to my fail2ban filter, but am looking for a hand with the regex. I have come up with: NOTICE.* .*: Call from '' to extension '.*' rejected because extension not found but I realize that anyone misdialling a valid extension a few times gets cut off. Can someone suggest an improvement? (How could I limit this to 4 or more digits dialled for example?) [ Caveat - I have never used fail2ban ] If it supports Perl-style regexps, you could do: NOTICE.* .*: Call from '' to extension '[0-9]{4,}' rejected because extension not found That will do at least 4 digits. Or the long way (Bash-style etc): NOTICE.* .*: Call from '' to extension '[0-9][0-9][0-9][0-9][0-9]*' rejected because extension not found HTH, Andrew -- Linux supports the notion of a command line or a shell for the same reason that only children read books with only pictures in them. Language, be it English or something else, is the only tool flexible enough to accomplish a sufficiently broad range of tasks. -- Bill Garrett -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Interesting attack tonight fail2ban them
Hello, Do you set up, your logrotate in /etc/asterisk ? Do you test that your fail2ban work fine? Regards On Wed, Dec 28, 2011 at 11:07 PM, Michelle Dupuis mdup...@ocg.ca wrote: I happened to be in the cli tonight as some (208.122.57.58) initiated a simple attack - just trying to make long distance calls from outside context. Although harmless, this went on for several minutes as the idiot just used up my bandwidth with SIP messages. Here's and example: [2011-12-28 22:53:42] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '6442032987219' rejected because extension not found. [2011-12-28 22:53:44] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '7442032987216' rejected because extension not found. [2011-12-28 22:53:46] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '8442032987216' rejected because extension not found. [2011-12-28 22:53:48] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '008442032987215' rejected because extension not found. [2011-12-28 22:53:50] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '007442032987218' rejected because extension not found. [2011-12-28 22:53:52] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '006442032987219' rejected because extension not found. [2011-12-28 22:53:54] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '005442032987216' rejected because extension not found. [2011-12-28 22:53:56] NOTICE[9635]: chan_sip.c:14035 handle_request_invite: Call from '' to extension '004442032987250' rejected because extension not found. I thought that it might be worth adding a line to my fail2ban filter, but am looking for a hand with the regex. I have come up with: NOTICE.* .*: Call from '' to extension '.*' rejected because extension not found but I realize that anyone misdialling a valid extension a few times gets cut off. Can someone suggest an improvement? (How could I limit this to 4 or more digits dialled for example?) Thanks! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Interesting attack tonight fail2ban them
Hi Michelle, I just realized there is no IP (host) in the message line, so no way for fail2ban to catch it. Probably my understanding is limited, but it seems to me that they have already 'access' to your Asterisk for them to be able to try to make outgoing calls. Wouldn't it be better to make sure they get the usual errors like Registration from failed - no matching peer found? In other words, how did they get this far in the first place? Best regards, Jeroen Eeuwes -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Interesting attack tonight fail2ban them
You mentioned the IP, 208.122.57.58, where did you get that from? Following are the default for Asterisk 1.8 (It would be great to have others input on this to strengthen this part of the filter): failregex = Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - Wrong password Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - No matching peer found Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - Device does not match ACL Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - Username/auth name mismatch Registration from '.*' failed for 'HOST(:[0-9]{1,5})?' - Peer is not supposed to register NOTICE.* HOST failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' (from HOST) NOTICE.* .*: Host HOST failed MD5 authentication for '.*' (.*) VERBOSE.* logger.c: -- .*IP/HOST-.* Playing 'ss-noservice' (language '.*') Regards, On Wed, Dec 28, 2011 at 11:50 PM, Michelle Dupuis mdup...@ocg.ca wrote: I just realized there is no IP (host) in the message line, so no way for fail2ban to catch it. Other suggestions? Or will I have to code something into my dialplan -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users