Re: [Astlinux-users] First I've seen of this...
Tod Fitch wrote: > On Mar 24, 2009, at 9:18 AM, Philip A. Prindeville wrote: > >> >> Yeah, I've seen them before. >> >> Turn off "allowguest" in /etc/asterisk/sip.conf >> >> -Philip > > > Hummm. Wouldn't that block incoming calls from legitimate sources that > are using my e164.org entry to call me? Any such calls are routed to a > dial plan that only allows calls to internal extensions so I am not > too worried about toll billing fraud. > > And they weren't trying to make calls, they were trying to register > (i.e. become something other than a guest/anonymous caller). > > --Tod What I've seen in the past is that a successful registration is the first step in trying to exploit your service... -Philip -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] First I've seen of this...
On Mar 24, 2009, at 1:04 PM, Kristian Kielhofner wrote: On Tue, Mar 24, 2009 at 12:44 PM, Tod Fitch wrote: On Mar 24, 2009, at 9:18 AM, Philip A. Prindeville wrote: Yeah, I've seen them before. Turn off "allowguest" in /etc/asterisk/sip.conf -Philip Hummm. Wouldn't that block incoming calls from legitimate sources that are using my e164.org entry to call me? Any such calls are routed to a dial plan that only allows calls to internal extensions so I am not too worried about toll billing fraud. And they weren't trying to make calls, they were trying to register (i.e. become something other than a guest/anonymous caller). --Tod Yes. The concern is not so much people placing calls into the context you have defined in [general] with allowguest=yes but more so with people brute forcing your extensions and placing calls to the PSTN... Several people have been bit by that. There are various solutions in Asterisk being considered but the most effective at this point seems to be filtering and/or strong passwords. Obviously if you are using e.164 filtering is not an option for you and strong passwords are your only defense (as of now). -- Kristian Kielhofner http://blog.krisk.org http://www.submityoursip.com http://www.astlinux.org http://www.star2star.com My passwords are all long alpha-numeric strings, unique to each peer and all are generated by a program I wrote that uses a cryptographically nice pseudo-random number generator. So they ought to be relatively secure. It does seem that Asterisk does not use any scheme to throttle responses to bad requests (i.e. increasingly delayed responses for each unsuccessful login attempt from an IP address). So an attacker could run through a lot of passwords (or peer IDs) per second and eat up a lot of your bandwidth when they are doing it. --Tod smime.p7s Description: S/MIME cryptographic signature -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] First I've seen of this...
On Tue, Mar 24, 2009 at 12:44 PM, Tod Fitch wrote: > On Mar 24, 2009, at 9:18 AM, Philip A. Prindeville wrote: > >> >> Yeah, I've seen them before. >> >> Turn off "allowguest" in /etc/asterisk/sip.conf >> >> -Philip > > > Hummm. Wouldn't that block incoming calls from legitimate sources that are > using my e164.org entry to call me? Any such calls are routed to a dial plan > that only allows calls to internal extensions so I am not too worried about > toll billing fraud. > > And they weren't trying to make calls, they were trying to register (i.e. > become something other than a guest/anonymous caller). > > --Tod > Yes. The concern is not so much people placing calls into the context you have defined in [general] with allowguest=yes but more so with people brute forcing your extensions and placing calls to the PSTN... Several people have been bit by that. There are various solutions in Asterisk being considered but the most effective at this point seems to be filtering and/or strong passwords. Obviously if you are using e.164 filtering is not an option for you and strong passwords are your only defense (as of now). -- Kristian Kielhofner http://blog.krisk.org http://www.submityoursip.com http://www.astlinux.org http://www.star2star.com -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] First I've seen of this...
On Mar 24, 2009, at 9:18 AM, Philip A. Prindeville wrote: Yeah, I've seen them before. Turn off "allowguest" in /etc/asterisk/sip.conf -Philip Hummm. Wouldn't that block incoming calls from legitimate sources that are using my e164.org entry to call me? Any such calls are routed to a dial plan that only allows calls to internal extensions so I am not too worried about toll billing fraud. And they weren't trying to make calls, they were trying to register (i.e. become something other than a guest/anonymous caller). --Tod smime.p7s Description: S/MIME cryptographic signature -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] First I've seen of this...
Tod Fitch wrote: > Probably not the correct mailing list but this might be of interest > anyway. This morning in my Astlinux logs I found a bunch messages I'd > not seen before. Here are the last 3: > > 05:04:06 pbx local0.notice asterisk[12679]: NOTICE[12679]: > chan_sip.c:15236 in handle_request_register: Registration from > '"9997"' failed for '174.137.49.78' - No > matching peer found > Mar 24 05:04:06 pbx local0.notice asterisk[12679]: NOTICE[12679]: > chan_sip.c:15236 in handle_request_register: Registration from > '"9998"' failed for '174.137.49.78' - No > matching peer found > Mar 24 05:04:06 pbx local0.notice asterisk[12679]: NOTICE[12679]: > chan_sip.c:15236 in handle_request_register: Registration from > '""' failed for '174.137.49.78' - No > matching peer found > So 174.137.49.78 (78.49.137.174.in-addr.arpa. 86400 INPTR > unknown.caratnetworks.com.) was attempting to register with my > Astlinux box on all possible 4 digit extensions. Fortunately for me my > extensions are all alpha-numeric and all longer than 4 characters. I > just checked and none of them look like a dictionary attack would work > either. > > Anyway, I don't know how common this is. But it is the first time I > have noticed malicious SIP registration attempts. I do get a huge > number of that type of thing on my firewall for things link ssh. I > just hadn't seen it before for SIP. > > Cheers, > Tod > Yeah, I've seen them before. Turn off "allowguest" in /etc/asterisk/sip.conf -Philip -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
[Astlinux-users] First I've seen of this...
Probably not the correct mailing list but this might be of interest anyway. This morning in my Astlinux logs I found a bunch messages I'd not seen before. Here are the last 3: 05:04:06 pbx local0.notice asterisk[12679]: NOTICE[12679]: chan_sip.c: 15236 in handle_request_register: Registration from '"9997">' failed for '174.137.49.78' - No matching peer found Mar 24 05:04:06 pbx local0.notice asterisk[12679]: NOTICE[12679]: chan_sip.c:15236 in handle_request_register: Registration from '"9998">' failed for '174.137.49.78' - No matching peer found Mar 24 05:04:06 pbx local0.notice asterisk[12679]: NOTICE[12679]: chan_sip.c:15236 in handle_request_register: Registration from '"">' failed for '174.137.49.78' - No matching peer found So 174.137.49.78 (78.49.137.174.in-addr.arpa. 86400 IN PTR unknown.caratnetworks.com.) was attempting to register with my Astlinux box on all possible 4 digit extensions. Fortunately for me my extensions are all alpha-numeric and all longer than 4 characters. I just checked and none of them look like a dictionary attack would work either. Anyway, I don't know how common this is. But it is the first time I have noticed malicious SIP registration attempts. I do get a huge number of that type of thing on my firewall for things link ssh. I just hadn't seen it before for SIP. Cheers, Tod smime.p7s Description: S/MIME cryptographic signature -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
