Re: [asterisk-users] Attack on Sip server.

[Michelle Dupuis]

If you have a small Asterisk installation install the free version of SecAst:

http://www.voip-info.org/wiki/view/SecAst+(Asterisk+Intrusion+Detection+and+Prevention)


For general Asterisk security info check this out:

http://www.voip-info.org/wiki/view/Asterisk+security


-=Michelle=-


All opinions posted are my own, and do not necessarily reflect those of my 
employer.  As an employee of GenerationD my opions are serious biased :)



From: asterisk-users-boun...@lists.digium.com 
asterisk-users-boun...@lists.digium.com on behalf of Anurag Rana 
anuragrana31...@gmail.com
Sent: Friday, June 27, 2014 10:49 AM
To: Prakash N
Cc: Asterisk Users List
Subject: Re: [asterisk-users] Attack on Sip server.

I added bot rules TCP as well as UDP.  Still not working.

How changing SIP listen port will prevent it. Please explain.

I will try fail2band.


On Fri, Jun 27, 2014 at 8:16 PM, Prakash N 
prakas...@tevatel.commailto:prakas...@tevatel.com wrote:
Hi,

Install fail2band and change sip listen port to avoid attack

With regards

N.Prakash

From: Anurag Ranamailto:anuragrana31...@gmail.com
Sent: ?27-?06-?2014 08:07 PM
To: Asterisk Users Mailing List - Non-Commercial 
Discussionmailto:asterisk-users@lists.digium.com
Subject: [asterisk-users] Attack on Sip server.


Hi All.

Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am 
unable to detect the IP address.
I used wireshark to capture the packets.

Although I am using very strong password for my SIP users but still is there 
any way to drop these packets and stop this attack.

I tried dropping packet after matching some string (most of the packets from 
attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are 
still flowing in.


iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent 
--algo bm -j DROP

?Its something like this

Registration from '30 sp:30@my_public_ip:5060 failed for 
'192.168.xxx.xxx:6373' - Wrong Password?

?and there are approx 10 request per minute of this type.

Please suggest some way to stop this.?


--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the 
midst of these materialistic turbulences.





--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the 
midst of these materialistic turbulences.


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Passing parameters to voiceglue.conf

[Raj Roy Ghandhi]

Hi Freinds,

I am trying to do the following.

1. Accept the call from call ifle.
2, Answer it
3. Extract the dial number and variables from the call file request.
4. Pass that parameters to voiceglue
5. Catch the parameters (dialnumber and cli) in voiceglue.conf
6. Point to the voice.xml file dynamically by matching number
 I want to make the line in voiceglue.conf as

DEST_NUMBER  http://127.0.0.1/vxml/FILE.vxml

so that I can catch parameters and call the file dynamically.

Please advice me.

Best Regards,
Roy
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Attack on Sip server.

[Andres]

iptables -I INPUT 1 -p tcp --dport 5060 -m string --string VaxSIPUserAgent 
--algo bm -j DROP

Its something like this

Registration from '30 sp:30@my_public_ip:5060 failed for 
'192.168.xxx.xxx:6373' - Wrong Password


and there are approx 10 request per minute of this type.

Please suggest some way to stop this.

In my experience you need to do 2 things to fix your problem.

#1) Get the real IP address of the attacker.
First you will need to recompile Asterisk to enable the log that shows 
the IP of the attacker.  It apparently is only set for debug so you need 
to edit chan_sip.c


In chan_sip.c

if (!peer) {
if (debug) *** --- delete this line
ast_verbose(No matching peer for '%s' from 
'%s'\n,

of, ast_sockaddr_stringify(p-recv));
}  *** --- delete this line



This will enable logs like:
VERBOSE[24693] chan_sip.c: No matching peer for '1000' from 
'104.14.190.14:5080


#2) Now that you have the IP of the attacker, just use fail2ban to block 
him automatically.  Make sure you test out your rules.  For example the 
above log is detected with fail2ban rule:
VERBOSE%(__pid_re)s [^:]+: No matching peer for '[^']*' from 
'HOST(:[0-9]+)?'$







--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly 
life in the midst of these materialistic turbulences.








--
Technical Support
http://www.cellroute.net

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users