Install & Configure Fail2Ban then the host will be blocked from connecting. And no, it's not new.
-----Original Message----- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gordon Henderson Sent: Saturday, November 26, 2011 6:55 AM To: Asterisk Users Mailing List Discussion Subject: [asterisk-users] A new hack? Or just an old one that I've not noticed before... Seeing lines like this in the logs: [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP@85.25.145.176>;tag=E2lb2p9BOJ [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP@85.25.145.176>;tag=XMDRarBM2w [Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP@85.25.145.176>;tag=AaTE0L0oRj [Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP@85.25.145.176>;tag=igsN240Wr5 [Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP@85.25.145.176>;tag=E8Nkbs0Aye [Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP@85.25.145.176>;tag=LEvpc7tK6B [Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP@85.25.145.176>;tag=WrIoZ92YPz [Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP@85.25.145.176>;tag=kuGTjXr7Pd [Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP@85.25.145.176>;tag=ygQBLSjH1m etc. The IP address is presumably the IP address of some compromised host (in Germany in this case, but I've noticed others around the globe so the software doing it would appear to be widespread) - it's not a host that should be connecting in. I supect that some SIP PBX somewhare is vulnerable to having an account called "VOIP", so this remote attack is trying to compromise that account. At least it's only once every 2 seconds, so in that respect no worse than the multitude of pop/smtp/imap/ssh type attacks that hackers try... I've seen it on several servers now, always for account VOIP. I'm presuming the "fake rejection" is the side-effect of using alwaysauthreject in sip.conf. (if-so, then it's doing the right thing) But something to look out for just in-case.. Gordon -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users