> On Tue, Mar 24, 2009 at 8:10 AM, Tilghman Lesher
> <tilgh...@mail.jeffandtilghman.com> wrote:
>> There are 4 billion possible IP addresses. To successfully block all
>> possible
>> hackers, you must block 4 billion of them. Seriously. Even your own
>> computer
>> is a possible source of hacking to other locations.
>
> In that case, why not just pull the ethernet cable from the router?
> That will block all spal, hacker attempts and viruses free.
>
> I use spamcop.net for email blocking and it works very well,
> especially if you participate by feeding the list. I've reported over
> 30,000 spam emails. Spamcop processes the headers intelligently and it
> figures out the actual originating IP. There is no reason why a
> properly formed list couldn't be helpful. It wouldn't put an end to
> problems, but it could be one arm in a defensive system.
>
You are assuming that Asterisk even notifies you of a bad SIP extension.
Currently, I have only seen the 1.4 and earlier branches report if the SIP
fails to connect with an established authentication/secret key or heaven
forbid, a registered phone doesn't match the digest. (which fails registration
only to be successfully registered again...pointless)
If I go after my server with SJPhone on a Direct SIP call and a bogus line,
with verbose set to 100, I get this cryptic message.
[Mar 24 07:43:51] NOTICE[6061]: chan_sip.c:14634 handle_request_invite:
Call from '' to extension '34235' rejected because extension not found. {yes,
there is nothing in-between the quotes, I didn't remove it, this is how it is}
and then shortly thereafter
[Mar 24 07:44:11] WARNING[6061]: chan_sip.c:1976 retrans_pkt: Maximum
retries exceeded on transmission 699D070E58644E7CA07285C71673D5100xc0a8a864 for
seqno 1 (Critical Response) -- See doc/sip-retransmit.txt.
Needless to say this is after 7-8 SIP 404 messages have been sent for the same
thing, so I get no idea of how many attempts are made. There are many SIP
responses I have seen on trace routes that are not even displayed like 484. My
verbose level may not have been sufficient, I realize, but it is kind of
spooky. Sure 484 is useful, but hacker friendly.
Any attempt to get Asterisk hacker proof has to start with notification
otherwise I am fighting ghosts.
So being a person that seeks solutions and not problems, what about a logging
option similar to the CDR or Apache2 logging.
Best case, I provide Asterisk with a list of SIP codes I want to track.
Asterisk then provides me with a log file indicating the details:
Time Date
IP address
From
To
Result
etc.
Something standard so I can get a tool like fail2ban around the issue.
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
