[asterisk-users] Asterisk secure fine tune - stop attack
Hi All, I see this kind of attack on our Asterisk Server, do you know how to block that IP? [Sep 4 07:41:06] NOTICE[7375]: chan_sip.c:23375 handle_request_invite: Call from '' (213.136.81.166:9306) to extension '34422' rejected because extension not found in context 'default'. Thanks in advance, -Motty -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
On 04-09-14 16:44, motty cruz wrote: Hi All, I see this kind of attack on our Asterisk Server, do you know how to block that IP? [Sep 4 07:41:06] NOTICE[7375]: chan_sip.c:23375 handle_request_invite: Call from '' (213.136.81.166:9306 http://213.136.81.166:9306) to extension '34422' rejected because extension not found in context 'default'. Have a look at Fail2ban: http://www.fail2ban.org/wiki/index.php/Main_Page HTH, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
Am 04.09.2014 16:44, schrieb motty cruz: Hi All, I see this kind of attack on our Asterisk Server, do you know how to block that IP? [Sep 4 07:41:06] NOTICE[7375]: chan_sip.c:23375 handle_request_invite: Call from '' (213.136.81.166:9306 http://213.136.81.166:9306) to extension '34422' rejected because extension not found in context 'default'. You should not invest time in blocking single IPs. Take a look at fail2ban. http://www.fail2ban.org/wiki/index.php/Asterisk -Thorsten- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
Thanks, looks like fail2ban is the way to go, I would prefer a different alternatives if there is one. I tried deny=IP/netmask but did not work for me, in sip.conf. seems like fail2ban is what you all are using, so I will give it a try. Thanks, On Thu, Sep 4, 2014 at 7:58 AM, Thorsten Göllner t...@ovm-group.com wrote: Am 04.09.2014 16:44, schrieb motty cruz: Hi All, I see this kind of attack on our Asterisk Server, do you know how to block that IP? [Sep 4 07:41:06] NOTICE[7375]: chan_sip.c:23375 handle_request_invite: Call from '' (213.136.81.166:9306) to extension '34422' rejected because extension not found in context 'default'. You should not invest time in blocking single IPs. Take a look at fail2ban. http://www.fail2ban.org/wiki/index.php/Asterisk -Thorsten- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
On Thursday 04 Sep 2014, motty cruz wrote: Hi All, I see this kind of attack on our Asterisk Server, do you know how to block that IP? Instead of blocking unwanted IPs, you should be permitting only wanted IPs. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
Hi A J, believe me, I wish i do as you suggested, however I have a few extensions outside the office with dynamic IPs, so that is not a possibility. Thanks for your suggestions, I will try fail2ban. I don't know how complicated is to implement that on production server. Thanks, -Motty On Thu, Sep 4, 2014 at 8:19 AM, A J Stiles asterisk_l...@earthshod.co.uk wrote: On Thursday 04 Sep 2014, motty cruz wrote: Hi All, I see this kind of attack on our Asterisk Server, do you know how to block that IP? Instead of blocking unwanted IPs, you should be permitting only wanted IPs. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
dont forgot to put your trusted IPs into ignoreip list while configuring fail2ban its very important when a customer (may be 100+ extns) are behind NAT and only present single public IP RgdsHash Date: Thu, 4 Sep 2014 08:42:11 -0700 From: motty.c...@gmail.com To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack Hi A J, believe me, I wish i do as you suggested, however I have a few extensions outside the office with dynamic IPs, so that is not a possibility. Thanks for your suggestions, I will try fail2ban. I don't know how complicated is to implement that on production server. Thanks, -Motty On Thu, Sep 4, 2014 at 8:19 AM, A J Stiles asterisk_l...@earthshod.co.uk wrote: On Thursday 04 Sep 2014, motty cruz wrote: Hi All, I see this kind of attack on our Asterisk Server, do you know how to block that IP? Instead of blocking unwanted IPs, you should be permitting only wanted IPs. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
If we don't need to allow access from outside the USA we block access from all non-ARIN IP addresses by using iptables. This takes care of at least 80% of attacks. I enabled guest access and pointed all guest calls to an IVR which auto disconnects the call after a while (2 min seems good) if there is no response. That took care of most of the remaining attacks. I'm considering enabling auto create peer and routing calls to the same IVR as above. We also use fail2ban, but mostly for non-SIP attacks. Before enabling any guest access be ABSOLUTELY SURE you know how to do it without causing security issues. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Hashmat Khan Sent: Thursday, September 04, 2014 3:45 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack dont forgot to put your trusted IPs into ignoreip list while configuring fail2ban its very important when a customer (may be 100+ extns) are behind NAT and only present single public IP Rgds Hash Date: Thu, 4 Sep 2014 08:42:11 -0700 From: motty.c...@gmail.commailto:motty.c...@gmail.com To: asterisk-users@lists.digium.commailto:asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack Hi A J, believe me, I wish i do as you suggested, however I have a few extensions outside the office with dynamic IPs, so that is not a possibility. Thanks for your suggestions, I will try fail2ban. I don't know how complicated is to implement that on production server. Thanks, -Motty On Thu, Sep 4, 2014 at 8:19 AM, A J Stiles asterisk_l...@earthshod.co.ukmailto:asterisk_l...@earthshod.co.uk wrote: On Thursday 04 Sep 2014, motty cruz wrote: Hi All, I see this kind of attack on our Asterisk Server, do you know how to block that IP? Instead of blocking unwanted IPs, you should be permitting only wanted IPs. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
You can also take a look at SecAst (www.generationd.com).The free version is a drop-in replacement for fail2ban but also add a lot more intelligence (and no need to update regex's etc). There's also geographic IP fencing so you can block attacks by country / region / city etc., only allow access by geography, etc. And a whole lot more (including detection of breached but valid credentials to halt ongoing fraud, etc) -=M=- The opinions above are my own, and don't necessarily represent those of my employer. Since I'm employed by Generation D however you can bet that I have a serious bias :) From: asterisk-users-boun...@lists.digium.com asterisk-users-boun...@lists.digium.com on behalf of Eric Wieling ewiel...@nyigc.com Sent: Thursday, September 4, 2014 11:58 AM To: Asterisk Users List Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack If we don't need to allow access from outside the USA we block access from all non-ARIN IP addresses by using iptables. This takes care of at least 80% of attacks. I enabled guest access and pointed all guest calls to an IVR which auto disconnects the call after a while (2 min seems good) if there is no response. That took care of most of the remaining attacks. I'm considering enabling auto create peer and routing calls to the same IVR as above. We also use fail2ban, but mostly for non-SIP attacks. Before enabling any guest access be ABSOLUTELY SURE you know how to do it without causing security issues. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Hashmat Khan Sent: Thursday, September 04, 2014 3:45 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack dont forgot to put your trusted IPs into ignoreip list while configuring fail2ban its very important when a customer (may be 100+ extns) are behind NAT and only present single public IP Rgds Hash Date: Thu, 4 Sep 2014 08:42:11 -0700 From: motty.c...@gmail.commailto:motty.c...@gmail.com To: asterisk-users@lists.digium.commailto:asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack Hi A J, believe me, I wish i do as you suggested, however I have a few extensions outside the office with dynamic IPs, so that is not a possibility. Thanks for your suggestions, I will try fail2ban. I don't know how complicated is to implement that on production server. Thanks, -Motty On Thu, Sep 4, 2014 at 8:19 AM, A J Stiles asterisk_l...@earthshod.co.ukmailto:asterisk_l...@earthshod.co.uk wrote: On Thursday 04 Sep 2014, motty cruz wrote: Hi All, I see this kind of attack on our Asterisk Server, do you know how to block that IP? Instead of blocking unwanted IPs, you should be permitting only wanted IPs. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.comhttp://www.api-digital.com/ -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.comhttp://www.api-digital.com/ -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
Please don't top post. On Thu, 4 Sep 2014, motty cruz wrote: Hi A J, believe me, I wish i do as you suggested, however I have a few extensions outside the office with dynamic IPs, so that is not a possibility. Do your few extensions travel to China, Russia, Iran, Iraq, North Korea, etc? (Sorry if I stepped on anybody's toes.) If you configure iptables to drop all and then only allow the few IP address ranges you really need, 90% of the problem is solved. Then use fail2ban to manage the remaining anklebitters. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
On Thursday 04 Sep 2014, motty cruz wrote: Hi A J, believe me, I wish i do as you suggested, however I have a few extensions outside the office with dynamic IPs, so that is not a possibility. If you know what ISPs they are using, then you can allow just those ISPs' address ranges. That will slow things down, by requiring an attacker to be using the same ISP as a legitimate user. Thanks for your suggestions, I will try fail2ban. I don't know how complicated is to implement that on production server. It's fairly easy -- but note that physical access to the server's console is highly desirable, lest you accidentally block yourself out from using ssh (not a mistake you want to make too many times). -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
On 4/9/14 4:58 pm, Eric Wieling wrote: If we don't need to allow access from outside the USA we block access from all non-ARIN IP addresses by using iptables. This takes care of at least 80% of attacks. Likewise here (though RIPE rather than ARIN, since we're the other side of the pond). You can also take it a bit further: if, for example, you know what ISP(s) your dynamic clients are using, you can limit connections to the IP ranges those ISP(s) use - look up their ranges on he.net's BGP looking glass if you need to find out what ranges they're using. Another thing I've been playing with of late is using iptables' string matching functionality to block user agents of known attack vectors: 'sipcli', 'sipvicious', 'friendly-scanner', etc. This seems to work remarkably well, though what impact it has on net performance under load remains to be seen. Kind regards, Chris -- This email is made from 100% recycled electrons -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk secure fine tune - stop attack
Thank you all for your support, your suggestions are welcome. Thanks, On Thu, Sep 4, 2014 at 9:26 AM, Chris Bagnall aster...@lists.minotaur.cc wrote: On 4/9/14 4:58 pm, Eric Wieling wrote: If we don't need to allow access from outside the USA we block access from all non-ARIN IP addresses by using iptables. This takes care of at least 80% of attacks. Likewise here (though RIPE rather than ARIN, since we're the other side of the pond). You can also take it a bit further: if, for example, you know what ISP(s) your dynamic clients are using, you can limit connections to the IP ranges those ISP(s) use - look up their ranges on he.net's BGP looking glass if you need to find out what ranges they're using. Another thing I've been playing with of late is using iptables' string matching functionality to block user agents of known attack vectors: 'sipcli', 'sipvicious', 'friendly-scanner', etc. This seems to work remarkably well, though what impact it has on net performance under load remains to be seen. Kind regards, Chris -- This email is made from 100% recycled electrons -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users