Re: [asterisk-users] Sip Registration Hijacking
On Thu, 26 Jan 2012, eherr wrote: It is accessible from HTTP. However, the access list only allows access from my home and the password is strong. Can you configure it to 'syslog' accesses where you can monitor it. Maybe your access lists are invalid, misunderstood or not being honored. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
It is accessible from HTTP. However, the access list only allows access from my home and the password is strong. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Paul Hayes Sent: Thursday, January 26, 2012 10:30 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Sip Registration Hijacking On 20/01/12 01:36, eherr wrote: > > It is also register on an AudioCodes MP-118. > Thanks, > > -E > Is the Audiocodes gateway accessible online? Have you set a strong password for it's web interface (and cli if it has one)? It is possible someone is breaking into that and getting the SIP password out of it. cheers, Paul. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
On 20/01/12 01:36, eherr wrote: It is also register on an AudioCodes MP-118. Thanks, -E Is the Audiocodes gateway accessible online? Have you set a strong password for it's web interface (and cli if it has one)? It is possible someone is breaking into that and getting the SIP password out of it. cheers, Paul. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
I appreciate your 2-cents worth. However, I do not believe they have access to machine If so, they are clever to create three failures in the logs for my benefit before entering the correct one for hijacking. Additionally, I have a lot of sip extensions to hijack and he keeps going for the same one. I was hoping this was something with the MP-118 and someone experienced the same thing with that device. Either way, I posed two questions which are still unanswered and probably I will never get answered: 1 - is this a vulnerability in the MP-118 2 - what method could they possibly be using to hijack a number-alpha extension which is creative to begin with ie) 203-Joes_Insurance_Service with an openssl generated password of 12 characters. Thanks, --E From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Larry Moore Sent: Saturday, January 21, 2012 1:34 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Sip Registration Hijacking On 20/01/2012 9:36 AM, eherr wrote: I have a honey pot box with extensions that are not just numbers ie ) 100-MySipUserName And the passwords are from an openssl generated password ie) Gq5VNIjDFWIQoUT6 Is the password stored in sip.conf in plain text or as an MD5? If it is stored in plain text then it may suggest the hijacker has greater access to your system than you realise. My 2-cents worth. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
This is actually an interesting concept however I do think I want to restrict dialing during a specific time period. If someone is in the office, I would have to reprogram the route so allow dialing which adds overhead. Again, I do like the concept though. Thanks, --E From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Mikhail Lischuk Sent: Friday, January 20, 2012 7:42 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Sip Registration Hijacking Alejandro Imass wrote 20.01.2012 18:09: I would like to know how to block this MF because he makes calls at 1-2 AM I use this construction on my servers [users] exten => _XXX,1,GotoIfTime(1:00-2:00,*,*,*?block,1,1) [block] exten => _X.,1,HangUp(1) -- With Best Regards Mikhail Lischuk <mailto:mlisc...@itx.com.ua> -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
Can you please elaborate on rate limiting. Not how to implement it but rather how implementation is beneficiary. Reading up on it, it appears that it just checks the tcp connections and denys connection if limit is passed. In my thoughts, this is essentially a live fail2ban monitor in respects to attempted authentications. Thanks, --E From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Jim DeVito Sent: Saturday, January 21, 2012 12:02 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Sip Registration Hijacking Rate limiting (google) via iptables FTW! Good luck! - Original message - > > > Alejandro Imass wrote 20.01.2012 18:09: > > > I would like to know how > to block this MF because he makes calls at 1-2 AM > > I use this > construction on my servers > > [users] > > exten => > _XXX,1,GotoIfTime(1:00-2:00,*,*,*?block,1,1) > > [block] > exten => > _X.,1,HangUp(1) > > -- > With Best Regards > Mikhail Lischuk > > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
On 20/01/2012 9:36 AM, eherr wrote: I have a honey pot box with extensions that are not just numbers ie ) 100-MySipUserName And the passwords are from an openssl generated password ie) Gq5VNIjDFWIQoUT6 Is the password stored in sip.conf in plain text or as an MD5? If it is stored in plain text then it may suggest the hijacker has greater access to your system than you realise. My 2-cents worth. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
Rate limiting (google) via iptables FTW! Good luck! - Original message - > > > Alejandro Imass wrote 20.01.2012 18:09: > > > I would like to know how > to block this MF because he makes calls at 1-2 AM > > I use this > construction on my servers > > [users] > > exten => > _XXX,1,GotoIfTime(1:00-2:00,*,*,*?block,1,1) > > [block] > exten => > _X.,1,HangUp(1) > > -- > With Best Regards > Mikhail Lischuk > > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
Alejandro Imass wrote 20.01.2012 18:09: > I would like to know how to block this MF because he makes calls at 1-2 AM I use this construction on my servers [users] exten => _XXX,1,GotoIfTime(1:00-2:00,*,*,*?block,1,1) [block] exten => _X.,1,HangUp(1) -- With Best Regards Mikhail Lischuk -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
On Fri, Jan 20, 2012 at 11:17 AM, eherr wrote: > I always thought Sip Vicious only does numbers ( 0 - 100 ) not > Numberic-Alpha ( 100-MySipUserName ). > > To make my situation more interesting is that I also have fail2ban installed > banning after 5 failed attempts. I too have fail2ban and running a relatively updated version of FreeBSD. BTW my install is plain Asterisk -- Alejandro Imass -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
I always thought Sip Vicious only does numbers ( 0 - 100 ) not Numberic-Alpha ( 100-MySipUserName ). To make my situation more interesting is that I also have fail2ban installed banning after 5 failed attempts. This hijack is only happening to an extension on the honeypot audiocodes with the sip reg authenticating back to my honey pot asterisk which is why I thought it might be a vulnerability in the audiocodes. However, the hijacker manages to make it past the fail2ban and gets the sip reg. I see sipvicious attempts all the time where they run checks against extensions 0 - . Sometimes I see alpha extension name attempts but I do not know how that's done. --E -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Alejandro Imass Sent: Friday, January 20, 2012 11:10 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Sip Registration Hijacking On Thu, Jan 19, 2012 at 8:36 PM, eherr wrote: > I have a honey pot box with extensions that are not just numbers ie ) > > > > 100-MySipUserName > > > I have the same problem and I use contactpermit with specific ip blocks! I know for a fact I'm getting hijacked by sip vicious on extension 100 but I can't understand how because I don't even have an extension 100 declared anywhere. I would like to know how to block this MF because he makes calls at 1-2 AM -- Alejandro Imass -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Sip Registration Hijacking
On Thu, Jan 19, 2012 at 8:36 PM, eherr wrote: > I have a honey pot box with extensions that are not just numbers ie ) > > > > 100-MySipUserName > > > I have the same problem and I use contactpermit with specific ip blocks! I know for a fact I'm getting hijacked by sip vicious on extension 100 but I can't understand how because I don't even have an extension 100 declared anywhere. I would like to know how to block this MF because he makes calls at 1-2 AM -- Alejandro Imass -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Sip Registration Hijacking
I have a honey pot box with extensions that are not just numbers ie ) 100-MySipUserName And the passwords are from an openssl generated password ie) Gq5VNIjDFWIQoUT6 However, this one extension keeps getting hacked and showing up on a different IP address. It is also register on an AudioCodes MP-118. I wanted to know if anyone else ran into this and if it's a vulnerability on the MP-118 or with Asterisk. Thanks, -E -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users