Hi Chris, I'd restrict access to the Asterisk box using iptables (or similar firewall) and only allow access from trusted client IPs or networks. This only works though if you know the originating IPs (and/or networks) of client connections and that they don't change over time.
Alternately you could require a VPN connection between the network your Asterisk box is on and clients you anticipate connecting to it. This creates some network overhead and could introduce some latency, but is a possibility. Lastly you could block the originating IPs of attacking systems using an ACL or iptables rule, but that can quickly becoming a losing strategy if the attacker has access to different systems or different networks. Good luck! - Chris --- Chris Brentano IT Engineer Jive Software 915 SW Stark St, Suite 400 Portland, Oregon 97205 Email/XMPP: chris.brent...@jivesoftware.com On 23 Jan, 2009, at 1:36 PM, Christopher Gray wrote: > Hello: > > Beginning on January 6, it appears that somebody has been trying to > hack into > my Asterisk. They have tried on the 7th, 9th, and the 20th. The > messages file > in /var/log/Asterisk shows entries like this: > > [Jan 20 13:39:40] NOTICE[5130] chan_sip.c: Registration from > '"1072963462"<sip:1072963...@198.144.206.28>' failed for > '212.174.78.60' - No matching peer found > > [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from > '"100"<sip:1...@198.144.206.28>' failed for '212.174.78.60' - No > matching peer found > > [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from > '"101"<sip:1...@198.144.206.28>' failed for '212.174.78.60' - No > matching peer found > > [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from > '"102"<sip:1...@198.144.206.28>' failed for '212.174.78.60' - No > matching peer found > > [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from > '"103"<sip:1...@198.144.206.28>' failed for '212.174.78.60' - No > matching peer found > > The sip:101 sip:102 and so on goes up until sip:9975. This began at > 13:39:40 > and ended at 13:42:51. Entries began at line 970 of the log file > and ended at > 8016 for a total of 7,041 occurrences. > > How worried should I be about this and what should I do to stop > further > attempts? > > Thanks for any advice. > > Chris > > > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-security mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-security _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-security mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-security
