[Astlinux-users] Thank you adaptive-ban

David Kerr Thu, 26 May 2011 18:02:39 -0700

Someone has been trying to attack me,  thankfully my security precautions
worked.  From syslog file...


May 23 15:59:39 pbx local0.notice asterisk[3512]: NOTICE[3512]:
chan_sip.c:17021 in handle_request_register: Registration from '<
sip:101@24.000.000.000>' failed for '188.161.222.75' - Device does not match
ACL
May 23 15:59:39 pbx local0.notice asterisk[3512]: NOTICE[3512]:
chan_sip.c:17021 in handle_request_register: Registration from '<
sip:101@24.000.000.000>' failed for '188.161.222.75' - Device does not match
ACL
May 23 15:59:45 pbx local0.notice asterisk[1355]: NOTICE[1355]: Ext.
00972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel: SIP/
24.000.000.000"
May 23 15:59:53 pbx local0.notice asterisk[1366]: NOTICE[1366]: Ext.
9011972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel:
SIP/24.000.000.000"
May 23 16:00:00 pbx local0.notice asterisk[1373]: NOTICE[1373]: Ext.
800972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel: SIP/
24.000.000.000"
May 23 16:00:00 pbx local0.notice asterisk[3512]: NOTICE[3512]:
chan_sip.c:17021 in handle_request_register: Registration from '<
sip:101@24.000.000.000>' failed for '188.161.222.75' - Device does not match
ACL
May 23 16:00:00 pbx local0.notice asterisk[3512]: NOTICE[3512]:
chan_sip.c:17021 in handle_request_register: Registration from '<
sip:101@24.000.000.000>' failed for '188.161.222.75' - Device does not match
ACL
May 23 16:00:06 pbx local0.notice asterisk[1388]: NOTICE[1388]: Ext.
900972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel: SIP/
24.000.000.000"
May 23 16:00:12 pbx local0.notice asterisk[1395]: NOTICE[1395]: Ext.
99011972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel:
SIP/24.000.000.000"
May 23 16:00:18 pbx local0.notice asterisk[1423]: NOTICE[1423]: Ext.
9900972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel:
SIP/24.000.000.000"
May 23 16:00:24 pbx local0.notice asterisk[1431]: NOTICE[1431]: Ext.
9900972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel:
SIP/24.000.000.000"
May 23 16:00:30 pbx local0.notice asterisk[1438]: NOTICE[1438]: Ext.
9009972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel:
SIP/24.000.000.000"
May 23 16:00:36 pbx local0.notice asterisk[1445]: NOTICE[1445]: Ext.
8011972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel:
SIP/24.000.000.000"
May 23 16:00:40 pbx local0.notice asterisk[3512]: NOTICE[3512]:
chan_sip.c:17021 in handle_request_register: Registration from '<
sip:101@24.000.000.000>' failed for '188.161.222.75' - Device does not match
ACL
May 23 16:00:41 pbx local0.notice asterisk[3512]: NOTICE[3512]:
chan_sip.c:17021 in handle_request_register: Registration from '<
sip:101@24.000.000.000>' failed for '188.161.222.75' - Device does not match
ACL
May 23 16:00:42 pbx local0.notice asterisk[1452]: NOTICE[1452]: Ext.
972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel: SIP/
24.000.000.000"
May 23 16:00:48 pbx local0.notice asterisk[1459]: NOTICE[1459]: Ext.
011972599565696:4 in @ tel-bridge: "tel-bridge Caller ID: 101  Channel: SIP/
24.000.000.000"
May 23 16:01:43 pbx user.info firewall: adaptive-ban: Banned IPv4 Host:
188.161.222.75  Filter Type: asterisk

Note that I have changed my real IP address from 24.something in the above
log to 24.000.000.000,

Someone has been trying to call Israel through my Astlinux box.  They
attempted to register with a valid extension (101) spoofing my external IP
address, but that failed because I have...
deny = 0.0.0.0/0.0.0.0
permit = 192.168.1.0/255.255.255.0
in my conf files.

The also attempted to just dial directly, notice how they tried 00, 011 for
international dial codes and 9, 99 and 8 as common methods to get an outside
line.  I do permit direct dialing through my PBX but have a rigorous check
in the dialplan (tel-bridge context) that checks for specific source
callerid (to match one and only one soft phone I use) and their attempts
were blocked by that. I also log the attempts, successful or not, which is
how I have captured the number they attempted to dial in the syslog (it was
also logged in CDR).

Then the adaptive-ban plugin triggered.

So, users beware, you DO need to take all precautions.  And given how close
this attempt came, I am going to disable my path that permits direct dialing
through my PBX, even though my security check worked this time.

And big thanks to the Astlinux team for their firewall plugins (maybe
adaptive-ban should be enabled by default)

David

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

[Astlinux-users] Thank you adaptive-ban

Reply via email to