Couldn't you also use the following for each extension in the the sip.conf
Deny=0.0.0.0/0.0.0.0
Permit=192.168.0.0/255.255.255.0

So that even if they did hit a good extension they would get denied out...

Or you could block all port 5060 traffic in your firewall except that from
your sip trunk providers

-Christopher

-----Original Message-----
From: Michael Keuter [mailto:mkeu...@web.de] 
Sent: Thursday, April 16, 2009 7:50 AM
To: AstLinux Users Mailing List
Subject: Re: [Astlinux-users] SIP-Hacker

>Hi list,
>
>I have a customer with Astlinux 0.6.4 on a net5501, who was (not
>successfully) tested by a SIP-hacker:
>----------------------------
>Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]:
>chan_sip.c:15839 in handle_request_register: Registration from
>'"1345"<sip:1...@xxx.xxx.xxx.xxx>' failed for '92.243.9.47' - No
>matching peer found
>Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]:
>chan_sip.c:15839 in handle_request_register: Registration from
>'"1346"<sip:1...@xxx.xxx.xxx.xxx>' failed for '92.243.9.47' - No
>matching peer found
>Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]:
>chan_sip.c:15839 in handle_request_register: Registration from
>'"1347"<sip:1...@xxx.xxx.xxx.xxx>' failed for '92.243.9.47' - No
>matching peer found
>Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]:
>chan_sip.c:15839 in handle_request_register: Registration from
>'"1348"<sip:1...@xxx.xxx.xxx.xxx>' failed for '92.243.9.47' - No
>matching peer found
>Apr 12 14:49:41 asterisk local0.notice asterisk[1832]: NOTICE[1832]:
>chan_sip.c:15839 in handle_request_register: Registration from
>'"1349"<sip:1...@xxx.xxx.xxx.xxx>' failed for '92.243.9.47' - No
>matching peer found
>Apr 12 14:49:41 asterisk local0.notice asterisk[1832]: NOTICE[1832]:
>chan_sip.c:15839 in handle_request_register: Registration from
>'"1350"<sip:1...@xxx.xxx.xxx.xxx>' failed for '92.243.9.47' - No
>matching peer found
>----------------------------
>And so on. There are about 65 SIP-checks per second (nice script).
>
>I there anything one could do against this, except secure passwords
>and the blocked-hosts file in Astlinux?
>I know there is a brute-force firewall-plugin for SSH in the 0.6
>branch, but I found nothing for SIP.
>I saw a ids-protection plugin in trunk.
>
>Michael

The second problem is, that "/var/" is full (5 MB) in a short time.

Michael

----------------------------------------------------------------------------
--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to