Benjamin, Lonnie:
I do have an ISN enabled, which allows unauthenticated SIP calls into my
AstLinux box. It looks like some sort of “robo-caller” dialled my open 100
extension and hear the ringtone. Once this was done, they (it) flooded my box
looking for some way out.
Below is the snippet of my extensions.conf; I’ve now commented out the valid
100/111 extensions to prevent this in the short-term:
extensions.conf:
[default]
exten => shamus,1,Goto(XXX,s,1)
;exten => 100,1,Goto(XXX,s,1)
;exten => 111,1,Goto(echo_test,111,1)
exten => _X.,1,Set(BANIP=${CHANNEL(recvip)})
same => n,Log(NOTICE,'${BANIP}' - Dialplan Noted Suspicious IP Address)
same => n,Hangup(3)
exten => i,1,Set(BANIP=${CHANNEL(recvip)})
same => n,Log(NOTICE,'${BANIP}' - Dialplan Noted Suspicious IP Address)
same => n,Hangup(3)
exten => s,1,Set(BANIP=${CHANNEL(recvip)})
same => n,Log(NOTICE,'${BANIP}' - Dialplan Noted Suspicious IP Address)
same => n,Hangup(3)
[echo_test]
exten => 111,1,Playback(demo-echotest) ; Let them know what's going on
same => n,Echo ; Do the echo test
same => n,Playback(demo-echodone) ; Let them know it's over
same => n,Hangup
Here are my adaptive ban and IDS files, these are the only two plugins I have
enabled.:
adaptive ban:
ENABLED=1
ADAPTIVE_BAN_FILE="/var/log/messages"
ADAPTIVE_BAN_TIME=120
ADAPTIVE_BAN_COUNT=1
ADAPTIVE_BAN_TYPES="sshd asterisk"
ADAPTIVE_BAN_REJECT=0
ADAPTIVE_BAN_WHITELIST=""
IDS:
ENABLED=1
IDS_INTERFACE=""
IDS_TRUSTED_HOSTS=""
IDS_EXCLUDE_TCP=""
IDS_EXCLUDE_UDP=""
IDS_MAX_RATE1="4"
IDS_MAX_TIME1="60"
IDS_MAX_RATE2="10"
IDS_MAX_TIME2="1800"
IDS_IPV6_ENABLE=1
Is there anything obvious I should change in either of these files?
thanks,
Shamus
On Sat, 2014-01-04 at 22:44 -0500, Benjamin L. Naber wrote
> you might want to provide the configs you have for adaptive-ban and IDS
> protection
>
>
> On Sat, 2014-01-04 at 22:01 -0500, Shamus Rask wrote:
>> I?m running the latest version of AstLinux with adaptive-ban enabled.
>> This works a charm on blocking ssh login attempts. However, I recently
>> came across the following in my Asterisk logs (it appears I?m under
>> some sort of attack):
>>
>>
>> [Jan 4 21:25:49] ERROR[1344]: res_rtp_asterisk.c:570 ast_rtp_new: Oh
>> dear... we couldn't allocate a port for RTP instance '0x8909438'
>> [Jan 4 21:25:49] NOTICE[1344]: chan_sip.c:23337
>> handle_request_invite: Failed to authenticate device
>> "306"<sip:[email protected]>;tag=3330360132363436373735323230
>> [Jan 4 21:25:49] ERROR[1344]: res_rtp_asterisk.c:570 ast_rtp_new: Oh
>> dear... we couldn't allocate a port for RTP instance '0x890ba78'
>> [Jan 4 21:25:49] NOTICE[1344]: chan_sip.c:23337
>> handle_request_invite: Failed to authenticate device
>> "307"<sip:[email protected]>;tag=33303701323431383731383932
>> [Jan 4 21:25:49] ERROR[1344]: res_rtp_asterisk.c:570 ast_rtp_new: Oh
>> dear... we couldn't allocate a port for RTP instance '0x890dcd8'
>> [Jan 4 21:25:50] NOTICE[1344]: chan_sip.c:23337
>> handle_request_invite: Failed to authenticate device
>> "308"<sip:[email protected]>;tag=3330380132343836303037313837
>> [Jan 4 21:25:50] ERROR[1344]: res_rtp_asterisk.c:570 ast_rtp_new: Oh
>> dear... we couldn't allocate a port for RTP instance '0x890f528'
>> [Jan 4 21:25:50] NOTICE[1344]: chan_sip.c:23337
>> handle_request_invite: Failed to authenticate device
>> "309"<sip:[email protected]>;tag=3330390131333738393630373531
>> [Jan 4 21:25:50] ERROR[1344]: res_rtp_asterisk.c:570 ast_rtp_new: Oh
>> dear... we couldn't allocate a port for RTP instance '0x8911790'
>> [Jan 4 21:25:50] NOTICE[1344]: chan_sip.c:23337
>> handle_request_invite: Failed to authenticate device
>> "310"<sip:[email protected]>;tag=3331300131303735393534373639
>> [Jan 4 21:25:50] ERROR[1344]: res_rtp_asterisk.c:570 ast_rtp_new: Oh
>> dear... we couldn't allocate a port for RTP instance '0x8912fe0'
>> [Jan 4 21:25:50] NOTICE[1344]: chan_sip.c:23337
>> handle_request_invite: Failed to authenticate device
>> "311"<sip:[email protected]>;tag=3331310132383934373035383636
>> [Jan 4 21:25:50] ERROR[1344]: res_rtp_asterisk.c:570 ast_rtp_new: Oh
>> dear... we couldn't allocate a port for RTP instance '0x8914830'
>> [Jan 4 21:25:50] NOTICE[1344]: chan_sip.c:23337
>> handle_request_invite: Failed to authenticate device
>> "312"<sip:[email protected]>;tag=33313201313439373439313831
>> [Jan 4 21:25:50] ERROR[1344]: res_rtp_asterisk.c:570 ast_rtp_new: Oh
>> dear... we couldn't allocate a port for RTP instance '0x8916e68'
>> [Jan 4 21:25:50] NOTICE[1344]: chan_sip.c:23337
>> handle_request_invite: Failed to authenticate device
>> "313"<sip:[email protected]>;tag=3331330133373231383036373539
>>
>>
>>
>>
>> Is there a way to auto-magically block these attempts?
>>
>>
>> many thanks,
>> Shamus
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
