Hi guys,
i've seen this too, nagios woke me up because it was an extremely high
volume of tries.
I took a peek into the logs and saw that the attacker's script was
trying extensions from 1 to and then random names. I can see the
log in the messages file that several attempts failed becau
I just wanted to add my voice to this "attack". I saw the morning that I had
200+ distinct ips since the weekend. I used a small perl script that blocks
failed usernames and passwords at iptables level I found thei morning :
http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-blo
On 10/31/2010 11:26 AM, Joel Maslak wrote:
> I suspect even munin would provide you such options. Not to mention any
> more capable monitor.
>
>
> I already have a monitor (tied into nagios, which pages me if my fraud
> thresholds are exceeded), but I feel that is probably beyo
Unsuccessful attempts are recorded, however SIP-s is not easily doable on
asteridk 1.4. I tried once without any success. Maybe somebody who has
successfully implemented it can write a little how-to on it.
Zeeshan A Zakaria
--
www.ilovetovoip.com
www.pbxforall.com (beta)
On 2010-11-01 4:48 AM, "
On Sun, 2010-10-31 at 11:39 -0600, Joel Maslak wrote:
> To guess an 8 character (which is short) password that consists of random
> upper case, lower case, numbers, and 10 symbols (there are more you can use
> if you want), the average number of passwords that you would have to try to
> get in i
On Sun, Oct 31, 2010 at 3:45 PM, Niles Ingalls wrote:
>
> On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria wrote:
>
> > My main asterisk server is under unusual heavy attack, and so far
> > Fail2Ban has blocked about 30 IPs, from various different countries.
> > At this time it is blocking about 1 IP
On Sun, Oct 31, 2010 at 3:45 PM, Niles Ingalls wrote:
>
> On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria wrote:
>
> > My main asterisk server is under unusual heavy attack, and so far
> > Fail2Ban has blocked about 30 IPs, from various different countries.
> > At this time it is blocking about 1 IP
On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria wrote:
> My main asterisk server is under unusual heavy attack, and so far
> Fail2Ban has blocked about 30 IPs, from various different countries.
> At this time it is blocking about 1 IP address every few minutes.
>
> Just wondering if anybody else
On 10/31/2010 12:58 PM, Joel Maslak wrote:
> On Oct 31, 2010, at 9:40 AM, jon pounder wrote:
>
>
>> what are you using that is tied to nagios ?
>>
> I'll package it up next week and make it available.
>
> Basically, I use nrpe to call a shell script that looks at the last five
> minutes
On Sun, Oct 31, 2010 at 1:39 PM, Joel Maslak wrote:
> To guess an 8 character (which is short) password that consists of random
> upper case, lower case, numbers, and 10 symbols (there are more you can use
> if you want), the average number of passwords that you would have to try to
> get in is
To guess an 8 character (which is short) password that consists of random upper
case, lower case, numbers, and 10 symbols (there are more you can use if you
want), the average number of passwords that you would have to try to get in is:
(72^8) / 2 = 361,102,068,154,368 guesses
Over a 10 mb/s et
On Sun, Oct 31, 2010 at 12:45 PM, Joel Maslak wrote:
> On Oct 31, 2010, at 9:57 AM, Jeff LaCoursiere wrote:
>
>> This only tells you after it is way too late that you now have upstream
>> bills to wrangle with your carriers about, or (like in my case) that your
>> balance is now depeleted, if it
On Oct 31, 2010, at 9:40 AM, jon pounder wrote:
> what are you using that is tied to nagios ?
I'll package it up next week and make it available.
Basically, I use nrpe to call a shell script that looks at the last five
minutes, 60 minutes, and 1440 minutes of a "asterisk -rx 'core show channel
Like I said before RUBBISH.
One should just ban/block IPs that are attacking you and not let them
connect at all. Not just protect against them with fancy passwords.
BTW, even your fancy passwords are breakable, can't wait for the day
that you'll wake up and smell the coffee.
On Sun, Oct 31, 2010
On Oct 31, 2010, at 9:39 AM, Mark Deneen wrote:
> On Sun, Oct 31, 2010 at 11:26 AM, Joel Maslak wrote:
>> If these are mobile users, I hope they never use any public networks
>> (hotels, starbucks) where other subscribers can do things like ARP attacks
>> to do MITM (and steal your calls; it mig
On Oct 31, 2010, at 9:57 AM, Jeff LaCoursiere wrote:
> This only tells you after it is way too late that you now have upstream
> bills to wrangle with your carriers about, or (like in my case) that your
> balance is now depeleted, if it trips anything at all.
>
> In my very recent case only FI
On 10/31/2010 11:39 AM, Mark Deneen wrote:
> On Sun, Oct 31, 2010 at 11:26 AM, Joel Maslak wrote:
>
>> If these are mobile users, I hope they never use any public networks
>> (hotels, starbucks) where other subscribers can do things like ARP attacks
>> to do MITM (and steal your calls; it migh
On Sat, 30 Oct 2010, Joel Maslak wrote:
>
> For me, monitoring outbound call volume makes a lot more sense. I would
> love to see an easy to use, out of the box method to alert me if more
> than "x" number of erlangs* are exceeded within a five minute, sixty
> minute, and one day time period
On Sun, Oct 31, 2010 at 11:26 AM, Joel Maslak wrote:
> If these are mobile users, I hope they never use any public networks
> (hotels, starbucks) where other subscribers can do things like ARP attacks
> to do MITM (and steal your calls; it might not be happening today, but it
> will be happening s
> I already have a monitor (tied into nagios, which pages me if my fraud
> thresholds are exceeded), but I feel that is probably beyond the
> abilities of most of the people experiencing call fraud. The people
> who know what they are doing with Unix and Asterisk are generally not
> the victi
On Sun, Oct 31, 2010 at 2:40 AM, Tzafrir Cohen wrote:
> On Sat, Oct 30, 2010 at 07:33:23PM -0600, Joel Maslak wrote:
>
> > The CPU usage is trivial to deny them. As is the bandwidth usage, if
> > you are not sitting on a slowish broadband connection.
>
> s/slow/assymetric/
>
A 1mb/s uplink is s
On Sun, 31 Oct 2010, Tzafrir Cohen wrote:
> On Sat, Oct 30, 2010 at 01:43:49PM -0600, Joel Maslak wrote:
>> Is there really any benefit to blocking these, if you use good passwords?
>
> Regardless of any threat from those attacks succeeding, they completely
> saturated the uplink in our ADSL-conne
On 30 October 2010 19:28, Zeeshan Zakaria wrote:
> My main asterisk server is under unusual heavy attack, and so far Fail2Ban
> has blocked about 30 IPs, from various different countries. At this time it
> is blocking about 1 IP address every few minutes.
>
> Just wondering if anybody else is als
On Sat, Oct 30, 2010 at 07:33:23PM -0600, Joel Maslak wrote:
> The CPU usage is trivial to deny them. As is the bandwidth usage, if
> you are not sitting on a slowish broadband connection.
s/slow/assymetric/
>
> Sure blocking doesn't hurt, but does the help it provides exceed the
> downsides (
One word: Rubbish
On Sat, Oct 30, 2010 at 9:33 PM, Joel Maslak wrote:
> No. It seems that opening up some sort of automatic blocking could cause an
> attacker forging packets to block legitimate endpoints. It also seems like
> they won't get in with good passwords, so it isn't actually accompl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/30/2010 08:25 PM, Warren Selby wrote:
> To me it seems the real question is "What is going on today?". I
> normally get eight to ten asterisk-related fail2ban alerts a day
> between a few client sites - today I've received at least 10 times
> t
tober 30, 2010 11:29 AM
*To:* Asterisk Users Mailing List - Non-Commercial Discussion
*Subject:* [asterisk-users] Under heavy attack
My main asterisk server is under unusual heavy attack, and so far
Fail2Ban has blocked about 30 IPs, from various different countries.
At this time it is blocking
On 10/30/2010 11:25 PM, Warren Selby wrote:
> To me it seems the real question is "What is going on today?". I normally get
> eight to ten asterisk-related fail2ban alerts a day between a few client
> sites - today I've received at least 10 times that many attacks on just one
> site. These are a
To me it seems the real question is "What is going on today?". I normally get
eight to ten asterisk-related fail2ban alerts a day between a few client sites
- today I've received at least 10 times that many attacks on just one site.
These are all coming in from different ip addresses, a new one
They have agreements for termination to locations with high rates.
These types of attacks happen on servers that fit a digital signature.
With certain ports or certain versions of software on those ports.
Yes the Art of War is required reading for todays systems
administration professionals... Ch
On Sun, Oct 31, 2010 at 03:23:52AM +0200, Tzafrir Cohen wrote:
> On Sat, Oct 30, 2010 at 01:43:49PM -0600, Joel Maslak wrote:
> > Is there really any benefit to blocking these, if you use good passwords?
>
> Regardless of any threat from those attacks succeeding, they completely
> saturated the up
My count has reached 100 for the day. The server serves doesn't serve
international calls anyways, I wonder how would it benefit any hacker in any
way.
--
Zeeshan
Sat, Oct 30, 2010 at 9:33 PM, Joel Maslak wrote:
> No. It seems that opening up some sort of automatic blocking could cause
> an a
Ah, that makes sense - I probably would restrict to only known endpoints by IP
address if I has only DSL bandwidth. But blocking attackers makes sense if
that isn't an option.
Yes, they are after cheap calls.
On Oct 30, 2010, at 7:23 PM, Tzafrir Cohen wrote:
> On Sat, Oct 30, 2010 at 01:43:4
No. It seems that opening up some sort of automatic blocking could cause an
attacker forging packets to block legitimate endpoints. It also seems like they
won't get in with good passwords, so it isn't actually accomplishing something
to worry about the script kiddies if you have good passwords
On Sat, Oct 30, 2010 at 01:43:49PM -0600, Joel Maslak wrote:
> Is there really any benefit to blocking these, if you use good passwords?
Regardless of any threat from those attacks succeeding, they completely
saturated the uplink in our ADSL-connected office.
What are they after, anyway? Merely c
You kidding?
On Sat, Oct 30, 2010 at 3:43 PM, Joel Maslak wrote:
> Is there really any benefit to blocking these, if you use good passwords?
>
> On Sat, Oct 30, 2010 at 1:20 PM, Warren Selby wrote:
>>
>> I'm experiencing this on one of my clients servers. The attack is
>> ongoing.
>>
>> Thanks,
ess.
Cary Fitch
-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Hans Witvliet
Sent: Saturday, October 30, 2010 6:11 PM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] Under heavy attack
On Sat, 201
On Sat, 2010-10-30 at 14:28 -0400, Zeeshan Zakaria wrote:
> My main asterisk server is under unusual heavy attack, and so far
> Fail2Ban has blocked about 30 IPs, from various different countries.
> At this time it is blocking about 1 IP address every few minutes.
>
> Just wondering if anybody els
On 10/30/2010 04:07 PM, Stuart Sheldon wrote:
any registry of abusers like for spam ?
any list of complete ip ranges for countries where abuse is rampant to
block ?
I am getting sick of the one offs and ready to start blocking big chunks
of address space.
> -BEGIN PGP SIGNED MESSAGE
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
We are also seeing an increase in attacks. And yes, there is a benefit
to blocking them. They tend to go away if you have them restricted,
where if you let them go at it, they will sit on your host for sometimes
hours.
Stu
On 10/30/2010 12:43 PM,
Is there really any benefit to blocking these, if you use good passwords?
On Sat, Oct 30, 2010 at 1:20 PM, Warren Selby wrote:
> I'm experiencing this on one of my clients servers. The attack is ongoing.
>
> Thanks,
> --Warren Selby
>
> On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria wrote:
>
> My
I'm experiencing this on one of my clients servers. The attack is ongoing.
Thanks,
--Warren Selby
On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria wrote:
> My main asterisk server is under unusual heavy attack, and so far Fail2Ban
> has blocked about 30 IPs, from various different countries. At t
Me too.
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Zeeshan Zakaria
Sent: Saturday, October 30, 2010 11:29 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] Under heavy attack
My main
My main asterisk server is under unusual heavy attack, and so far Fail2Ban
has blocked about 30 IPs, from various different countries. At this time it
is blocking about 1 IP address every few minutes.
Just wondering if anybody else is also experiencing unusually increased hack
attempts today?
Zee
44 matches
Mail list logo
