Changing from 5060 is very effective. Sure, someone with the knowledge could try all the ports IF they know you are even running SIP, but it certainly will stop most of these idiots .
That along with fail2ban, not using numbers for device user names all will help. Using IAX where possible also can be very effective John Novack Steve Murphy wrote:
On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards <asterisk....@sedwards.com <mailto:asterisk....@sedwards.com>> wrote: On Sat, 18 Jan 2014, Jerry Geis wrote: I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '"202" <sip:202@X:5060>' failed for '37.8.12.147:26832 <http://37.8.12.147:26832>' - Wrong password What is the "correct" way to block these idiots so they don't even get this far. Use iptables to allow packets from your legitimate users, block everybody else. If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc. Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest. I see a problem here; firstly that it is no longer so simple to determine the IP ranges of countries. Things have been fractured quite a bit; you might have to hire out a service to determine true geographic origination. Even then, if your service is a little behind, you might occasionally feel the displeasure of users unable to talk to your servers. How will you handle this, with a white-list? How much effort will you end up committing to keeping your whitelist up to date? Nextly, the well-financed operations running such probes need not use machines in their native countries. There are plenty of US-based machines that can be ( and are ) compromised. In other words, don't forget the fail2ban part! Here's another idea! How about changing your port from 5060 to something different, maybe 7067 or some other number that is not popularly being used? You'll provision your phones to use this port, and the scanners will not find you. Seems a much simpler solution... but there are some drawbacks... can anyone think of them? And will these drawbacks matter to you? And, given this solution, will the odds that a scanner might find your machine be so low, that it is not worth using something like fail2ban to override them? Food for thought! murf -- Steve Murphy ParseTree Corporation 57 Lane 17 Cody, WY 82414 ? murf at parsetree dot com ? 307-899-5535
-- Dog is my Co-pilot
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
