Thanks for the heads up. I just set up a brand new Asterisk system and we did not put all the security on. After reading this we set our firewall to accept port 5060 only from our DID provider.
Now a question. Do we need to worry about our RTP ports we have open? Thanks Brent Bill Michaelson wrote: > I confess. They hit me too - yesterday. I had a security hole they > could drive a truck through, and they apparently used port 5060 to > fish for a local extension they could masquerade as. Then they > started calling out with one of my caller IDs. Within minutes I was > deluged with calls from puzzled people. > > After blocking them, I redirected incoming calls to this DID to a > recorded explanation and apology. Then I sent a broadcast to the 281 > logged out-dial numbers with a similar message. > > So, heads up. > > FWIW, I was hit by these IPs: > > 84.126.205.1 > 78.157.193.103 > > It would seem that we all might gain from cooperative work here. > Also, can we share the FBI contact? I was going to call the FBI, but > figured it would be a waste of time just getting through the > bureaucracy to the right person. > > I didn't capture the audio. Did the verbiage contain a spoken return > call #? I was getting responses based on caller ID, and I'm wondering > if the perpetrator expected to take return calls via the bogus SIP > registration or via another channel. > > > Matt Gibson wrote: >> Same here, but about 3 months ago. Luckily I was able to stop it after about >> 30 minutes, but they still got about 100 calls out, I got a lot of calls >> back from little old ladies wanting to give me their credit card info, scary >> stuff. >> >> >> >>> -----Original Message----- >>> From: asterisk-biz-boun...@lists.digium.com [mailto:asterisk-biz- >>> boun...@lists.digium.com] On Behalf Of C. Savinovich >>> Sent: Friday, February 27, 2009 4:18 PM >>> To: 'Commercial and Business-Oriented Asterisk Discussion' >>> Subject: Re: [asterisk-biz] Fraud alert >>> >>> >>> It seems to be the same pattern of people who attacked 3 of my >>> servers in >>> a 3 week period a couple of weeks ago. The calls were made mostly to >>> area >>> codes 252 and 818 and indeed they showed the caller-id of the phones. >>> My >>> customer claims he received a call from the FBI saying that the calls >>> were >>> credit card solicitations. The point is, whoever is doing this, is >>> doing >>> this massively. >>> >>> CS >>> >>> -----Original Message----- >>> From: asterisk-biz-boun...@lists.digium.com >>> [mailto:asterisk-biz-boun...@lists.digium.com] On Behalf Of >>> voip-aster...@maximumcrm.com >>> Sent: Friday, February 27, 2009 4:04 PM >>> To: Commercial and Business-Oriented Asterisk Discussion >>> Subject: Re: [asterisk-biz] Fraud alert >>> >>> >>>>> I'd suggest to everyone to ban that IP, it's been scanning our >>>>> >>> networks >>> >>>>> from time to time, in a sequential manner by IP. >>>>> >>>> I've had really good luck with this: >>>> >>>> http://www.voip- >>>> >>> info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk >>> >>>> Basically, it automatically blackhols via IPtables any host that >>>> >>> fails a >>> >>>> certain number of registration attempts in a given period. >>>> >>> Yeah we're actually rolling it out on all of our production servers, >>> it's >>> a great application to run. >>> >>> I'm working on some scripts to propagate the bans to the firewall so >>> that >>> all of the servers get protected as soon as possible. >>> >>> >>>> [default] >>>> ; Send any unauthenticated calls to the local FBI office >>>> context=local-fbi-office >>>> >>>> I've got a honeypot server that pretty much accepts any calls that >>>> >>> come >>> >>>> through, and plays a "Thank you for calling the Telecommunications >>>> >>> Fraud >>> >>>> hotline. Please stay online for the next available representative." >>>> >>> If >>> they >>> >>>> stay online for more than 20 seconds, it connects them to an agent at >>>> >>> the >>> >>>> FBI that we have been working with. >>>> >>>> I've been meaning to add some code in that pulls out the originating >>>> >>> IP >>> >>>> address of the call and tells it to the agent when we call. :) >>>> >>> That would be great to have! >>> >>> _______________________________________________ >>> --Bandwidth and Colocation Provided by http://www.api-digital.com-- >>> >>> asterisk-biz mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-biz >>> >>> >>> _______________________________________________ >>> --Bandwidth and Colocation Provided by http://www.api-digital.com-- >>> >>> asterisk-biz mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-biz >>> >> >> >> _______________________________________________ >> --Bandwidth and Colocation Provided by http://www.api-digital.com-- >> >> asterisk-biz mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-biz >> >> > > ------------------------------------------------------------------------ > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-biz mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-biz -- Brent T. Vrieze CIM Automation Softare Engineer 507-216-0465 _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
