Re: [Astlinux-users] SIP-Hacker
Hello Michael, I hope the following link will be usefull for you: http://blog.krisk.org/2008/07/sip-dosddos-mitigation.html Also I read somewhere about keepin a tail on the asterisk log and use iptables rules to block specific IPs Never used on our Asterisk boxes - but maybe it will help you. Best regards, Ioan On 16-Apr-09 1:45 PM, Michael Keuter wrote: Hi list, I have a customer with Astlinux 0.6.4 on a net5501, who was (not successfully) tested by a SIP-hacker: Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1345sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1346sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1347sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1348sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:41 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1349sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:41 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1350sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found And so on. There are about 65 SIP-checks per second (nice script). I there anything one could do against this, except secure passwords and the blocked-hosts file in Astlinux? I know there is a brute-force firewall-plugin for SSH in the 0.6 branch, but I found nothing for SIP. I saw a ids-protection plugin in trunk. Michael -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] SIP-Hacker
Hi list, I have a customer with Astlinux 0.6.4 on a net5501, who was (not successfully) tested by a SIP-hacker: Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1345sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1346sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1347sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1348sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:41 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1349sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:41 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1350sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found And so on. There are about 65 SIP-checks per second (nice script). I there anything one could do against this, except secure passwords and the blocked-hosts file in Astlinux? I know there is a brute-force firewall-plugin for SSH in the 0.6 branch, but I found nothing for SIP. I saw a ids-protection plugin in trunk. Michael The second problem is, that /var/ is full (5 MB) in a short time. Michael -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
Re: [Astlinux-users] SIP-Hacker
Couldn't you also use the following for each extension in the the sip.conf Deny=0.0.0.0/0.0.0.0 Permit=192.168.0.0/255.255.255.0 So that even if they did hit a good extension they would get denied out... Or you could block all port 5060 traffic in your firewall except that from your sip trunk providers -Christopher -Original Message- From: Michael Keuter [mailto:mkeu...@web.de] Sent: Thursday, April 16, 2009 7:50 AM To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] SIP-Hacker Hi list, I have a customer with Astlinux 0.6.4 on a net5501, who was (not successfully) tested by a SIP-hacker: Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1345sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1346sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1347sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:40 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1348sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:41 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1349sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found Apr 12 14:49:41 asterisk local0.notice asterisk[1832]: NOTICE[1832]: chan_sip.c:15839 in handle_request_register: Registration from '1350sip:1...@xxx.xxx.xxx.xxx' failed for '92.243.9.47' - No matching peer found And so on. There are about 65 SIP-checks per second (nice script). I there anything one could do against this, except secure passwords and the blocked-hosts file in Astlinux? I know there is a brute-force firewall-plugin for SSH in the 0.6 branch, but I found nothing for SIP. I saw a ids-protection plugin in trunk. Michael The second problem is, that /var/ is full (5 MB) in a short time. Michael -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.