Re: [asterisk-users] Brute force attacks
On Friday 02 Jul 2010, Tim Nelson wrote: > - "A J Stiles" wrote: > > On Friday 02 Jul 2010, Ira wrote: > > > At 11:14 PM 7/1/2010, you wrote: > > > >Same activity from these IPs: > > > >174.129.137.135 > > > > > > Given that my Asterisk box is used for nothing but Asterisk and I > > > know the small number of IPs that need to have access is there an > > > easy way to use iptables to block everything but those 6 IPs and > > > provider addresses? > > > > Yes, dead easy! Just configure iptables to accept IAX traffic (TCP > > and UDP > > port 4569) only from trusted IP addresses, and drop it from anywhere > > else. > > [ stuff omitted ] > > IAX is UDP only, not TCP. Also, what if he's using SIP (UDP/5060) for > connectivity to the outside world? He'll need rules for this, in addition > to RTP media (typically UDP/1-2)... OK, so you might not need the lines with -p tcp in them; I was just being efficient (i.e., cribbing from an old config file that has worked for me since forever). All the setups on which I've worked have used SIP on the inside, and IAX on the outside. That way, you don't need so many ports open -- and you avoid the 'mare that is funnelling telephony through NAT. (See also FTP and fax.) If you need other ports open, the same general principles apply. Read the iptables man page, look at other people's firewall scripts; and most importantly of all, make sure you have a keyboard and monitor plugged into the machine; because one day, you *will* accidentally block port 22 from 0.0.0.0/0. -- AJS -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Brute force attacks
- "A J Stiles" wrote: > On Friday 02 Jul 2010, Ira wrote: > > At 11:14 PM 7/1/2010, you wrote: > > >Same activity from these IPs: > > >174.129.137.135 > > > > Given that my Asterisk box is used for nothing but Asterisk and I > > know the small number of IPs that need to have access is there an > > easy way to use iptables to block everything but those 6 IPs and > > provider addresses? > > Yes, dead easy! Just configure iptables to accept IAX traffic (TCP > and UDP > port 4569) only from trusted IP addresses, and drop it from anywhere > else. > Here I am assuming eth0 is the "outside" connection, and the permitted > IP > addresses are 10.11.12.13 and 10.11.12.14. > > # accept IAX traffic (port 4569) from 10.11.12.13 > iptables -A FORWARD -s 10.11.12.13/32 -i eth0 -p tcp -m tcp --dport > 4569 -j > ACCEPT > iptables -A FORWARD -s 10.11.12.13/32 -i eth0 -p udp -m udp --dport > 4569 -j > ACCEPT > # accept IAX traffic (port 4569) from 10.11.12.14 > iptables -A FORWARD -s 10.11.12.14/32 -i eth0 -p tcp -m tcp --dport > 4569 -j > ACCEPT > iptables -A FORWARD -s 10.11.12.14/32 -i eth0 -p udp -m udp --dport > 4569 -j > ACCEPT > # drop all other IAX traffic > iptables -A FORWARD -i eth0 -p udp -m udp --dport 4569 -j DROP > iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 4569 -j DROP > > Obviously if the "permitted" connection addresses fall neatly into a > block, > you can use fewer rules :) If there are a few addresses in the block > that > shouldn't be permitted, put one or more DROP rules first for those > addresses, > then an ACCEPT rule for (the rest of) the block, then another DROP > rule. > IAX is UDP only, not TCP. Also, what if he's using SIP (UDP/5060) for connectivity to the outside world? He'll need rules for this, in addition to RTP media (typically UDP/1-2)... --Tim -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Brute force attacks
On Friday 02 Jul 2010, Ira wrote: > At 11:14 PM 7/1/2010, you wrote: > >Same activity from these IPs: > >174.129.137.135 > > Given that my Asterisk box is used for nothing but Asterisk and I > know the small number of IPs that need to have access is there an > easy way to use iptables to block everything but those 6 IPs and > provider addresses? Yes, dead easy! Just configure iptables to accept IAX traffic (TCP and UDP port 4569) only from trusted IP addresses, and drop it from anywhere else. Here I am assuming eth0 is the "outside" connection, and the permitted IP addresses are 10.11.12.13 and 10.11.12.14. # accept IAX traffic (port 4569) from 10.11.12.13 iptables -A FORWARD -s 10.11.12.13/32 -i eth0 -p tcp -m tcp --dport 4569 -j ACCEPT iptables -A FORWARD -s 10.11.12.13/32 -i eth0 -p udp -m udp --dport 4569 -j ACCEPT # accept IAX traffic (port 4569) from 10.11.12.14 iptables -A FORWARD -s 10.11.12.14/32 -i eth0 -p tcp -m tcp --dport 4569 -j ACCEPT iptables -A FORWARD -s 10.11.12.14/32 -i eth0 -p udp -m udp --dport 4569 -j ACCEPT # drop all other IAX traffic iptables -A FORWARD -i eth0 -p udp -m udp --dport 4569 -j DROP iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 4569 -j DROP Obviously if the "permitted" connection addresses fall neatly into a block, you can use fewer rules :) If there are a few addresses in the block that shouldn't be permitted, put one or more DROP rules first for those addresses, then an ACCEPT rule for (the rest of) the block, then another DROP rule. -- AJS -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Brute force attacks
Hi Matt, What eaxtly you mean by Fail2ban crapping out? I never had any problem with it, and for me it is not only protecting asterisk, but also multiple websites for wrong logging attempts, spams and SQL injections. Based on your experience I would like to see if I need to be careful with its settings, just in case if it could fail at any wrong time. Zeeshan A Zakaria -- www.ilovetovoip.com On 2010-07-02 12:29 PM, "Matt Desbiens" wrote: I've noticed from time to time, that fail2ban just craps out, so, this might be of interest to the community assuming you use 192.168.100.0/24 on your network iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT iptables -A INPUT -s carrierip.x.x.x -j ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p udp -m udp -s carrierip.x.x.x --destination-port 5060 -j ACCEPT iptables -A INPUT -p udp -m udp -s carrierip.x.x.x --destination-port 1:2 -j ACCEPT iptables -A INPUT -p udp -m udp --destination-port 5060 -j DROP iptables -A INPUT -p udp -m udp --destination-port 1:2 -j DROP iptables -A INPUT -p udp -m udp --destination-port 4000:4999 -j DROP iptables -A INPUT -p udp -m udp --destination-port 4569 -j DROP iptables -A INPUT -p tcp -m tcp --destination-port 5038 -j DROP iptables -A INPUT -p tcp -m tcp --destination-port 22 -j DROP iptables -A INPUT -p udp -m udp --destination-port 22 -j DROP iptables -A OUTPUT -o eth0 -p all -j ACCEPT iptables -A OUTPUT -o eth1 -p all -j ACCEPT iptables -A INPUT -i eth0 -p all -j ACCEPT iptables -A INPUT -i eth1 -p all -j ACCEPT iptables -P INPUT DROP 2010/7/2 Jonathan González > > Same activity from these IPs: > 174.129.137.135 > 89.35.123.12 > 209.20.66.234 > 184.73.30.42 >... -- Matthew Desbiens //* EOF *// -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Brute force attacks
I've noticed from time to time, that fail2ban just craps out, so, this might be of interest to the community assuming you use 192.168.100.0/24 on your network iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT iptables -A INPUT -s carrierip.x.x.x -j ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p udp -m udp -s carrierip.x.x.x --destination-port 5060 -j ACCEPT iptables -A INPUT -p udp -m udp -s carrierip.x.x.x --destination-port 1:2 -j ACCEPT iptables -A INPUT -p udp -m udp --destination-port 5060 -j DROP iptables -A INPUT -p udp -m udp --destination-port 1:2 -j DROP iptables -A INPUT -p udp -m udp --destination-port 4000:4999 -j DROP iptables -A INPUT -p udp -m udp --destination-port 4569 -j DROP iptables -A INPUT -p tcp -m tcp --destination-port 5038 -j DROP iptables -A INPUT -p tcp -m tcp --destination-port 22 -j DROP iptables -A INPUT -p udp -m udp --destination-port 22 -j DROP iptables -A OUTPUT -o eth0 -p all -j ACCEPT iptables -A OUTPUT -o eth1 -p all -j ACCEPT iptables -A INPUT -i eth0 -p all -j ACCEPT iptables -A INPUT -i eth1 -p all -j ACCEPT iptables -P INPUT DROP 2010/7/2 Jonathan González > Same activity from these IPs: > 174.129.137.135 > 89.35.123.12 > 209.20.66.234 > 184.73.30.42 > 184.73.44.61 > 87.106.187.137 > 194.44.244.187 > 203.55.198.100 > 209.76.47.11 > 94.74.229.229 > 93.184.79.59 > 209.62.53.242 > > > > > On Thu, Jul 1, 2010 at 10:56 PM, Jamie A. Stapleton < > jstaple...@computer-business.com> wrote: > >> The IP 69.175.35.186 has just been banned by Fail2Ban after 293 attempts >> against our server. >> >> >> >> >> >> *From:* asterisk-users-boun...@lists.digium.com [mailto: >> asterisk-users-boun...@lists.digium.com] *On Behalf Of *John Timms >> *Sent:* Thursday, July 01, 2010 11:32 AM >> *To:* Asterisk Users Mailing List - Non-Commercial Discussion >> *Subject:* Re: [asterisk-users] Brute force attacks >> >> >> >> On Thu, Jul 1, 2010 at 9:16 AM, Ishfaq Malik wrote: >> >> Hi >> >> We've just noticed attempts (close to 20 attempts, sequential peer >> numbers) at guessing peers on 2 of out servers and thought I'd share the >> originating IPs with the list in case anyone wants to firewall them as we >> have done >> >> 109.170.106.59 >> 112.142.55.18 >> 124.157.161.67 >> >> Ish >> >> -- >> Ishfaq Malik >> Software Developer >> PackNet Ltd >> >> Office: 0161 660 3062 >> >> >> -- >> _ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> http://www.asterisk.org/hello >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >> >> >> >> >> We have noticed the same sort of activity on our server. >> The originating IP addresses attempting access were: >> >> >> >> 204.9.204.145 (hosted at U.S. Colo, I believe) >> >> 91.203.132.149 (Nephax) >> >> 130.70.157.186 (University of Louisiana) >> >> 61.160.121.46 (Chinanet) >> >> 109.170.0.10 (ReasonUP Ltd) >> >> >> >> -- >> John Timms >> IT Department - Gnoso Inc. >> j...@gnoso.com >> -- >> >> -- >> _ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> http://www.asterisk.org/hello >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> > > > > > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- Matthew Desbiens //* EOF *// -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Brute force attacks
At 11:14 PM 7/1/2010, you wrote: >Same activity from these IPs: >174.129.137.135 Given that my Asterisk box is used for nothing but Asterisk and I know the small number of IPs that need to have access is there an easy way to use iptables to block everything but those 6 IPs and provider addresses? Ira -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Brute force attacks
Same activity from these IPs: 174.129.137.135 89.35.123.12 209.20.66.234 184.73.30.42 184.73.44.61 87.106.187.137 194.44.244.187 203.55.198.100 209.76.47.11 94.74.229.229 93.184.79.59 209.62.53.242 On Thu, Jul 1, 2010 at 10:56 PM, Jamie A. Stapleton < jstaple...@computer-business.com> wrote: > The IP 69.175.35.186 has just been banned by Fail2Ban after 293 attempts > against our server. > > > > > > *From:* asterisk-users-boun...@lists.digium.com [mailto: > asterisk-users-boun...@lists.digium.com] *On Behalf Of *John Timms > *Sent:* Thursday, July 01, 2010 11:32 AM > *To:* Asterisk Users Mailing List - Non-Commercial Discussion > *Subject:* Re: [asterisk-users] Brute force attacks > > > > On Thu, Jul 1, 2010 at 9:16 AM, Ishfaq Malik wrote: > > Hi > > We've just noticed attempts (close to 20 attempts, sequential peer > numbers) at guessing peers on 2 of out servers and thought I'd share the > originating IPs with the list in case anyone wants to firewall them as we > have done > > 109.170.106.59 > 112.142.55.18 > 124.157.161.67 > > Ish > > -- > Ishfaq Malik > Software Developer > PackNet Ltd > > Office: 0161 660 3062 > > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > > > We have noticed the same sort of activity on our server. The originating IP > addresses attempting access were: > > > > 204.9.204.145 (hosted at U.S. Colo, I believe) > > 91.203.132.149 (Nephax) > > 130.70.157.186 (University of Louisiana) > > 61.160.121.46 (Chinanet) > > 109.170.0.10 (ReasonUP Ltd) > > > > -- > John Timms > IT Department - Gnoso Inc. > j...@gnoso.com > -- > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Brute force attacks
The IP 69.175.35.186 has just been banned by Fail2Ban after 293 attempts against our server. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of John Timms Sent: Thursday, July 01, 2010 11:32 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Brute force attacks On Thu, Jul 1, 2010 at 9:16 AM, Ishfaq Malik mailto:i...@pack-net.co.uk>> wrote: Hi We've just noticed attempts (close to 20 attempts, sequential peer numbers) at guessing peers on 2 of out servers and thought I'd share the originating IPs with the list in case anyone wants to firewall them as we have done 109.170.106.59 112.142.55.18 124.157.161.67 Ish -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users We have noticed the same sort of activity on our server. The originating IP addresses attempting access were: 204.9.204.145 (hosted at U.S. Colo, I believe) 91.203.132.149 (Nephax) 130.70.157.186 (University of Louisiana) 61.160.121.46 (Chinanet) 109.170.0.10 (ReasonUP Ltd) -- John Timms IT Department - Gnoso Inc. j...@gnoso.com<mailto:j...@gnoso.com> -- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Brute force attacks
On Thu, Jul 1, 2010 at 9:16 AM, Ishfaq Malik wrote: > Hi > > We've just noticed attempts (close to 20 attempts, sequential peer > numbers) at guessing peers on 2 of out servers and thought I'd share the > originating IPs with the list in case anyone wants to firewall them as we > have done > > 109.170.106.59 > 112.142.55.18 > 124.157.161.67 > > Ish > -- > Ishfaq Malik > Software Developer > PackNet Ltd > > Office: 0161 660 3062 > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > We have noticed the same sort of activity on our server. The originating IP addresses attempting access were: 204.9.204.145 (hosted at U.S. Colo, I believe) 91.203.132.149 (Nephax) 130.70.157.186 (University of Louisiana) 61.160.121.46 (Chinanet) 109.170.0.10 (ReasonUP Ltd) -- John Timms IT Department - Gnoso Inc. j...@gnoso.com -- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Brute force attacks
Hi We've just noticed attempts (close to 20 attempts, sequential peer numbers) at guessing peers on 2 of out servers and thought I'd share the originating IPs with the list in case anyone wants to firewall them as we have done 109.170.106.59 112.142.55.18 124.157.161.67 Ish -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users