Re: [asterisk-users] stopping unwanted attempts
I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '202 sip:202@X:5060' failed for '37.8.12.147:26832' - Wrong password [Jan 15 03:06:19] NOTICE[14129] chan_sip.c: Registration from '5001 sip:5001@X:5060' failed for '37.8.12.147:21268' - Wrong password [Jan 15 03:06:23] NOTICE[14129] chan_sip.c: Registration from '30 sip:30@X:5060' failed for '37.8.12.147:21270' - Wrong password [Jan 15 03:06:48] NOTICE[14129] chan_sip.c: Registration from '70 sip:70@X:5060' failed for '37.8.12.147:21328' - Wrong password [Jan 15 03:06:50] NOTICE[14129][C-0085] chan_sip.c: Call from '' ( 8.33.7.110:5103) to extension '889011972592735467' rejected because extension not found in context 'default'. [Jan 15 03:06:56] NOTICE[14129] chan_sip.c: Registration from '4 sip:4@X:5060' failed for '37.8.12.147:21272' - Wrong password [Jan 15 03:07:11] NOTICE[14129] chan_sip.c: Registration from '12001 sip:12001@X:5060' failed for '37.8.12.147:5060' - Wrong password [Jan 15 03:34:02] NOTICE[14129][C-0086] chan_sip.c: Call from '' ( 172.246.236.90:5078) to extension '8889011972595301123' rejected because extension not found in context 'default'. What is the correct way to block these idiots so they don't even get this far. Thanks, Jerry At this past year's AstriCon there was a series of security talks that covered fail2ban and best practices. You can view the playlist of videos on YouTube. The content should be helpful for you: https://www.youtube.com/playlist?list=PLighc-2vlRgT3DhE9DkIgSmpUX6v2AtYo Links to the playlists are also on asterisk.org: http://www.asterisk.org/community/astricon-user-conference/video-archive Cheers, Billy Chia -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
On 01/19/2014 08:40 AM, Steve Murphy wrote: Here's another idea! How about changing your port from 5060 to something different, maybe 7067 or some other number that is not popularly being used? You'll provision your phones to use this port, and the scanners will not find you. Seems a much simpler solution... but there are some drawbacks... can anyone think of them? And will these drawbacks matter to you? And, given this solution, will the odds that a scanner might find your machine be so low, that it is not worth using something like fail2ban to override them? Food for thought! murf We use this tactic. I never seen scanners in my logs anymore. Haven't had any issues with it to date... we use Linksys, Polycom, Yealink, Grandstream, and Audiocodes products. All have the ability to specify the registration port. Cheers, j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards asterisk@sedwards.comwrote: On Sat, 18 Jan 2014, Jerry Geis wrote: I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '202 sip:202@X:5060' failed for '37.8.12.147:26832' - Wrong password What is the correct way to block these idiots so they don't even get this far. Use iptables to allow packets from your legitimate users, block everybody else. If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc. Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest. I see a problem here; firstly that it is no longer so simple to determine the IP ranges of countries. Things have been fractured quite a bit; you might have to hire out a service to determine true geographic origination. Even then, if your service is a little behind, you might occasionally feel the displeasure of users unable to talk to your servers. How will you handle this, with a white-list? How much effort will you end up committing to keeping your whitelist up to date? Nextly, the well-financed operations running such probes need not use machines in their native countries. There are plenty of US-based machines that can be ( and are ) compromised. In other words, don't forget the fail2ban part! Here's another idea! How about changing your port from 5060 to something different, maybe 7067 or some other number that is not popularly being used? You'll provision your phones to use this port, and the scanners will not find you. Seems a much simpler solution... but there are some drawbacks... can anyone think of them? And will these drawbacks matter to you? And, given this solution, will the odds that a scanner might find your machine be so low, that it is not worth using something like fail2ban to override them? Food for thought! murf -- Steve Murphy ParseTree Corporation 57 Lane 17 Cody, WY 82414 ✉ murf at parsetree dot com ☎ 307-899-5535 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
fail2ban is so easy to set up, there is no reason not to set it up. The geography problems are not so bad unless you have phones all over the world or people travelling with softphones to countries that you want to block. It does not block incoming calls only people who want to mimic your own legitimate phones. Ron On 19/01/2014 9:40 AM, Steve Murphy wrote: On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards asterisk@sedwards.com mailto:asterisk@sedwards.com wrote: On Sat, 18 Jan 2014, Jerry Geis wrote: I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '202 sip:202@X:5060' failed for '37.8.12.147:26832 http://37.8.12.147:26832' - Wrong password What is the correct way to block these idiots so they don't even get this far. Use iptables to allow packets from your legitimate users, block everybody else. If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc. Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest. I see a problem here; firstly that it is no longer so simple to determine the IP ranges of countries. Things have been fractured quite a bit; you might have to hire out a service to determine true geographic origination. Even then, if your service is a little behind, you might occasionally feel the displeasure of users unable to talk to your servers. How will you handle this, with a white-list? How much effort will you end up committing to keeping your whitelist up to date? Nextly, the well-financed operations running such probes need not use machines in their native countries. There are plenty of US-based machines that can be ( and are ) compromised. In other words, don't forget the fail2ban part! Here's another idea! How about changing your port from 5060 to something different, maybe 7067 or some other number that is not popularly being used? You'll provision your phones to use this port, and the scanners will not find you. Seems a much simpler solution... but there are some drawbacks... can anyone think of them? And will these drawbacks matter to you? And, given this solution, will the odds that a scanner might find your machine be so low, that it is not worth using something like fail2ban to override them? Food for thought! murf -- Steve Murphy ParseTree Corporation 57 Lane 17 Cody, WY 82414 ? murf at parsetree dot com ? 307-899-5535 -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
Changing from 5060 is very effective. Sure, someone with the knowledge could try all the ports IF they know you are even running SIP, but it certainly will stop most of these idiots . That along with fail2ban, not using numbers for device user names all will help. Using IAX where possible also can be very effective John Novack Steve Murphy wrote: On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards asterisk@sedwards.com mailto:asterisk@sedwards.com wrote: On Sat, 18 Jan 2014, Jerry Geis wrote: I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '202 sip:202@X:5060' failed for '37.8.12.147:26832 http://37.8.12.147:26832' - Wrong password What is the correct way to block these idiots so they don't even get this far. Use iptables to allow packets from your legitimate users, block everybody else. If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc. Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest. I see a problem here; firstly that it is no longer so simple to determine the IP ranges of countries. Things have been fractured quite a bit; you might have to hire out a service to determine true geographic origination. Even then, if your service is a little behind, you might occasionally feel the displeasure of users unable to talk to your servers. How will you handle this, with a white-list? How much effort will you end up committing to keeping your whitelist up to date? Nextly, the well-financed operations running such probes need not use machines in their native countries. There are plenty of US-based machines that can be ( and are ) compromised. In other words, don't forget the fail2ban part! Here's another idea! How about changing your port from 5060 to something different, maybe 7067 or some other number that is not popularly being used? You'll provision your phones to use this port, and the scanners will not find you. Seems a much simpler solution... but there are some drawbacks... can anyone think of them? And will these drawbacks matter to you? And, given this solution, will the odds that a scanner might find your machine be so low, that it is not worth using something like fail2ban to override them? Food for thought! murf -- Steve Murphy ParseTree Corporation 57 Lane 17 Cody, WY 82414 ? murf at parsetree dot com ? 307-899-5535 -- Dog is my Co-pilot -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
On 19/1/14 2:57 pm, Ron Wheeler wrote: fail2ban is so easy to set up, there is no reason not to set it up. One of the dangers with fail2ban - at least in its default configuration - is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP. If your end users configure their own phones, you will have to factor in the increased support burden when users complain that their phones 'can't connect' and you need to manually unblock those IPs. This can be at least partially mitigated using fail2ban's 'ignoreip' directive for IPs you know only your users will be connecting from. If you've a large number of users, it might be worth splitting them across a pair of servers - one for 'trusted' users, i.e. where each SIP endpoint is locked down to a specific IP (or at least a range), and you can configure your firewall to block SIP connection attempts from anything apart from that list; and one for 'untrusted' users, i.e. travelling users, home workers without static IPs, etc. on which you run fail2ban with a fairly ruthless set of rules/limits. Unless you know that none of your users travel internationally, I'd be wary of imposing countrywide IP blocks, especially in this era of IP shortage where IP space is being traded on the open market and GeoIP databases may not always keep up to date. Kind regards, Chris -- This email is made from 100% recycled electrons -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
It is far worse when you have multiple phones behind the same public address (i.e. NAT).If any one of the phones has a bad password and the IP gets blocked by fail2ban, then all phones at that site would be blocked. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Chris Bagnall Sent: Sunday, January 19, 2014 10:40 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] stopping unwanted attempts On 19/1/14 2:57 pm, Ron Wheeler wrote: fail2ban is so easy to set up, there is no reason not to set it up. One of the dangers with fail2ban - at least in its default configuration - is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
Geoip works well to block all countries except your own Regards Andrew Colin-mobile Vsave(PTY)Ltd Original message From: Eric Wieling ewiel...@nyigc.com Date:19/01/2014 8:40 PM (GMT+02:00) To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] stopping unwanted attempts It is far worse when you have multiple phones behind the same public address (i.e. NAT). If any one of the phones has a bad password and the IP gets blocked by fail2ban, then all phones at that site would be blocked. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Chris Bagnall Sent: Sunday, January 19, 2014 10:40 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] stopping unwanted attempts On 19/1/14 2:57 pm, Ron Wheeler wrote: fail2ban is so easy to set up, there is no reason not to set it up. One of the dangers with fail2ban - at least in its default configuration - is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
We don't do residential service and require the few off-net customers to have a static IP. This makes using whitelists practical.That won't work for most people though. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Andrew Colin Sent: Sunday, January 19, 2014 2:39 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] stopping unwanted attempts Geoip works well to block all countries except your own Regards Andrew Colin-mobile Vsave(PTY)Ltd Original message From: Eric Wieling Date:19/01/2014 8:40 PM (GMT+02:00) To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] stopping unwanted attempts It is far worse when you have multiple phones behind the same public address (i.e. NAT).If any one of the phones has a bad password and the IP gets blocked by fail2ban, then all phones at that site would be blocked. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Chris Bagnall Sent: Sunday, January 19, 2014 10:40 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] stopping unwanted attempts On 19/1/14 2:57 pm, Ron Wheeler wrote: fail2ban is so easy to set up, there is no reason not to set it up. One of the dangers with fail2ban - at least in its default configuration - is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] stopping unwanted attempts
I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '202 sip:202@X:5060' failed for '37.8.12.147:26832' - Wrong password [Jan 15 03:06:19] NOTICE[14129] chan_sip.c: Registration from '5001 sip:5001@X:5060' failed for '37.8.12.147:21268' - Wrong password [Jan 15 03:06:23] NOTICE[14129] chan_sip.c: Registration from '30 sip:30@X:5060' failed for '37.8.12.147:21270' - Wrong password [Jan 15 03:06:48] NOTICE[14129] chan_sip.c: Registration from '70 sip:70@X:5060' failed for '37.8.12.147:21328' - Wrong password [Jan 15 03:06:50] NOTICE[14129][C-0085] chan_sip.c: Call from '' ( 8.33.7.110:5103) to extension '889011972592735467' rejected because extension not found in context 'default'. [Jan 15 03:06:56] NOTICE[14129] chan_sip.c: Registration from '4 sip:4@X:5060' failed for '37.8.12.147:21272' - Wrong password [Jan 15 03:07:11] NOTICE[14129] chan_sip.c: Registration from '12001 sip:12001@X:5060' failed for '37.8.12.147:5060' - Wrong password [Jan 15 03:34:02] NOTICE[14129][C-0086] chan_sip.c: Call from '' ( 172.246.236.90:5078) to extension '8889011972595301123' rejected because extension not found in context 'default'. What is the correct way to block these idiots so they don't even get this far. Thanks, Jerry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
Fail2ban works well otherwise you can write your own script im bash or perl to block them in iptables Regards Andrew Colin-mobile Vsave(PTY)Ltd Original message From: Jerry Geis ge...@pagestation.com Date:18/01/2014 10:59 PM (GMT+02:00) To: asterisk-users@lists.digium.com Subject: [asterisk-users] stopping unwanted attempts I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '202 sip:202@X:5060' failed for '37.8.12.147:26832' - Wrong password [Jan 15 03:06:19] NOTICE[14129] chan_sip.c: Registration from '5001 sip:5001@X:5060' failed for '37.8.12.147:21268' - Wrong password [Jan 15 03:06:23] NOTICE[14129] chan_sip.c: Registration from '30 sip:30@X:5060' failed for '37.8.12.147:21270' - Wrong password [Jan 15 03:06:48] NOTICE[14129] chan_sip.c: Registration from '70 sip:70@X:5060' failed for '37.8.12.147:21328' - Wrong password [Jan 15 03:06:50] NOTICE[14129][C-0085] chan_sip.c: Call from '' (8.33.7.110:5103) to extension '889011972592735467' rejected because extension not found in context 'default'. [Jan 15 03:06:56] NOTICE[14129] chan_sip.c: Registration from '4 sip:4@X:5060' failed for '37.8.12.147:21272' - Wrong password [Jan 15 03:07:11] NOTICE[14129] chan_sip.c: Registration from '12001 sip:12001@X:5060' failed for '37.8.12.147:5060' - Wrong password [Jan 15 03:34:02] NOTICE[14129][C-0086] chan_sip.c: Call from '' (172.246.236.90:5078) to extension '8889011972595301123' rejected because extension not found in context 'default'. What is the correct way to block these idiots so they don't even get this far. Thanks, Jerry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
On Sat, 18 Jan 2014, Jerry Geis wrote: I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '202 sip:202@X:5060' failed for '37.8.12.147:26832' - Wrong password What is the correct way to block these idiots so they don't even get this far. Use iptables to allow packets from your legitimate users, block everybody else. If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc. Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users