[asterisk-users] Asterisk brute force watcher (was FYI)
Steve Totaro wrote: I suspect that this will happen more and more. I also suspect that many people who have weak SIP credentials like user=100 secret=100 will be the victim of toll fraud and worse, call to 900 and other very high termination rates. How does $25 per minute sound? Thanks, Steve Totaro http://www.asteriskhelpdesk.com KB3OPB Ashtray is an Asterisk brute force watcher. Checks logs from cron and emails admin of potential brute forcers http://www.infiltrated.net/scripts/ashtray Can have it set in .bash_profile so whenever you log on, you'd see anomalies. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk brute force watcher (was FYI)
On Thu, Apr 26, 2007 at 06:46:41AM -0400, J. Oquendo wrote: Steve Totaro wrote: I suspect that this will happen more and more. I also suspect that many people who have weak SIP credentials like user=100 secret=100 will be the victim of toll fraud and worse, call to 900 and other very high termination rates. How does $25 per minute sound? Ashtray is an Asterisk brute force watcher. Checks logs from cron and emails admin of potential brute forcers http://www.infiltrated.net/scripts/ashtray Can have it set in .bash_profile so whenever you log on, you'd see anomalies. With FC5 had to change to $8 and $11 Steve -- NetTek Ltd UK mob +44-(0)7775 755503 UK +44-(0)20 79932612 / US +1-(310)8577715 / Fax +44-(0)20 7483 2455 Skype/GoogleTalk/AIM/Gizmo/Mac stevekennedyuk / MSN [EMAIL PROTECTED] Euro Tech News Blog http://eurotechnews.blogspot.com ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk brute force watcher (was FYI)
Steve Kennedy wrote: On Thu, Apr 26, 2007 at 06:46:41AM -0400, J. Oquendo wrote: Steve Totaro wrote: I suspect that this will happen more and more. I also suspect that many people who have weak SIP credentials like user=100 secret=100 will be the victim of toll fraud and worse, call to 900 and other very high termination rates. How does $25 per minute sound? Ashtray is an Asterisk brute force watcher. Checks logs from cron and emails admin of potential brute forcers http://www.infiltrated.net/scripts/ashtray Can have it set in .bash_profile so whenever you log on, you'd see anomalies. With FC5 had to change to $8 and $11 Steve Weird... uname -a Linux linuxbox 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux I didn't -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [asterisk-users] Asterisk brute force watcher (was FYI)
-Original Message- From: [EMAIL PROTECTED] [mailto:asterisk-users- [EMAIL PROTECTED] On Behalf Of J. Oquendo Sent: Thursday, April 26, 2007 6:47 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Asterisk brute force watcher (was FYI) Steve Totaro wrote: I suspect that this will happen more and more. I also suspect that many people who have weak SIP credentials like user=100 secret=100 will be the victim of toll fraud and worse, call to 900 and other very high termination rates. How does $25 per minute sound? Thanks, Steve Totaro http://www.asteriskhelpdesk.com KB3OPB Ashtray is an Asterisk brute force watcher. Checks logs from cron and emails admin of potential brute forcers http://www.infiltrated.net/scripts/ashtray Can have it set in .bash_profile so whenever you log on, you'd see anomalies. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato Without looking, can it be configured to blacklist that IP for a given amount of time? My FTP server has that ability. Thanks, Steve Totaro http://www.asteriskhelpdesk.com KB3OPB ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk brute force watcher (was FYI)
Steve Totaro wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:asterisk-users- [EMAIL PROTECTED] On Behalf Of J. Oquendo Sent: Thursday, April 26, 2007 6:47 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Asterisk brute force watcher (was FYI) Steve Totaro wrote: I suspect that this will happen more and more. I also suspect that many people who have weak SIP credentials like user=100 secret=100 will be the victim of toll fraud and worse, call to 900 and other very high termination rates. How does $25 per minute sound? Thanks, Steve Totaro http://www.asteriskhelpdesk.com KB3OPB Ashtray is an Asterisk brute force watcher. Checks logs from cron and emails admin of potential brute forcers http://www.infiltrated.net/scripts/ashtray Can have it set in .bash_profile so whenever you log on, you'd see anomalies. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato Without looking, can it be configured to blacklist that IP for a given amount of time? My FTP server has that ability. Thanks, Steve Totaro http://www.asteriskhelpdesk.com KB3OPB ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users Depends... I myself have an extremely modified IPS like script I chopped up for myself. If I posted it, it would look like a horrendous shell+ruby+perl +awk+sed nightmare with no comments that most programmers would likely roll their eyes at in disgust. Depending on how you run your Asterisk machine (DB or no DB) it should be doable with iptables (--flush), ipf, ipfw, etc. I have one of my servers set to do a few things with my script... 1) If a user attempts to register and fails more than 5 times ... Email me the username and IP address. It doesn't get blocked yet. This way no legitimate remote user complains... 2) If a user attempts to register and fails, check the IP address and see if they're trying to register using multiple names, if they are, then automatically block them via iptables... I started to tinker with an entire IDS/IPS devoted to Asterisk (www.infiltrated.net/scripts/divinityPoC) but haven't had time to finish it. Besides, (and I'm sorry to say this)... Asterisk's logging mechanisms/errors infuriate me. Sometimes their errors make no sense - wth is a doohicky error you guys? So I left it alone. I've butchered it for managed PBX's with under 50 users, but for thousands of users, its no good. Right now one of my machines has: 341 sip peers [308 online , 33 offline] / 45 active channels : 24 active calls ... I don't even count how many trunks and attached * machines I have on that server. And this is only one of about maybe 15-20 I deal with on a daily basis... What I had envisioned for divinity was based off of my Asteroid program (www.infiltrated.net/asteroid/)... Catch any anomalous SIP messages and nip it in the bud. The heuristics behind it though would be a full time job in itself so I left it alone. I may or may not continue it, but right now I have little incentive to. 1) Too much studying going on for me... 2) Work keeps me tied up... 3) Family life... Besides I've configured my machines to where I'm comfortable with them which was my main goal. Last thing I want to do is release something half done to hear the criticism You're program is half baked! blah blah... -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato smime.p7s Description: S/MIME Cryptographic Signature ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
