I have been looking over my asterisk messages files and some a**holes out there are apparently using a brute force utility to try and break in. My asterisk server is behind a firewall+natd router and so far none of them have gained access.
They seem to try all 3 and 4 digit combinations of extensions. What’s especially troubling is that there is a pattern that shows somehow they zero in on authentic user account extensions. The only thing that keeps them out is they don’t guess the passwords. I use very cryptic passwords for this very reason. Still it bothers me that asterisk somehow seems to be giving up some signal to these a**holes as to which accounts are viable and then they start focusing on these.
Is asterisk giving up some information that lets these crooks zero in on the real accounts?
I don’t know how secure or insecure asterisk is, but I would suggest tightening up you firewall rules. We don’t allow SIP traffic (or any other traffic for that matter) from an IP address this is not associated with a known phone.
Will a port scan detect a machine that is behind the firewall? My asterisk server is not connected directly to the Internet. I am assuming, and I may be wrong but the little kiddies in the asterisk chat room are somehow behind this. And determining that someone is running asterisk is very easy to do once you participate in chat.
For now, no one has actually gained access. But the fact that they are trying is a real PITA. Like I said, there are so many more constructive things to do with your computer. And I guess I just don’t understand the criminal mind.
I doubt it is anyone in the asterisk chat room. We’re an ISP and we see port scans going on 24/7 on every IP address in our blocks. This is what people do. You have a firewall, use it to block everything except SIP and RTP from all IP addresses except the ones that you need to get through. Anything less is asking for trouble. Period.
I was going to post something about this a few days ago. It appears the sip scans are increasing. A few servers I control have been scanned recently from multiple IP addresses. The automated one’s I’ve seen are using sipvicious from looking at the user agent of “Friendly Scanner” (Sipvicious).
Basically what they are doing is scanning netblocks for sip servers (Using svmap), then initiating extension probes against those servers (Using svwar). Once they have a listing of extensions they can connect to, they try to brute force some of them until they get a successful connection (Using svcrack). They use those registrations to generate automated calls asking people to enter their credit card number for validation purposes or something similar for some sort of scam. So there is a huge monetary incentive for these people to exploit it.
How do you stop it?
[ul]1. Scan yourself with the tools they use and see if you have a weakness or an extension set up incorrectly.
2. If you can, stop accepting SIP incoming from anything other than your providers/phones. This may not be possible if you have roaming extensions with softphones etc. Possibly change the default SIP port to something else.
3. Make sure your sip secrets are strong. Do not have the extension/password be the same, do not have them be simple short numeric only passwords. The longer the password the better. Choose the passwords as you would choose shell passwords.
4. Implement log monitoring to catch/ban them in the process. One of my clients wrote up a quick how to in the voip-info wiki here: voip-info.org/wiki/view/Fail … 2BAsterisk
5. Set up an Intrusion Detection System (IDS) to detect the scans and act on them. Snort is a good option here.[/ul]
Few other notes… If you use Polycom phones and have the ftp server exposed to the internet for configuration, do not, i repeat do not, keep the default ftp password. Not only does it give them free access to your sip authentication it may, if that account also allows shell access, give them the ability to use that machine to send spam.
I am not expert on this but it does appear that somehow they get enough information from one’s asterisk server to know that when a certain extension was tried the password for this account was incorrect. This is how I’m assuming they zero in on the valid extensions. So asterisk is basically giving up half the equation for the break in for these crooks. I would hope that the developers would change this so that when any extension is tried with the wrong password * doesn’t give up half the goods. Meaning there should be no clue to these crooks that they at least guessed the extension right. I say if the password and username don’t match, then don’t say anything…
I take issue with you words about doubting that this traffic is coming from the asterisk chatroom. While I’m sure there are plenty of good folks in this group it only takes one or a few to wreck things.
What I’ve noticed is a pattern to the break in attempts. They almost always occur either while I’m in the #asterisk chatroom or soon after I have had a session therein. It’s not hard to put the pieces of the puzzle together. I just wish these loosers would comprehend the consequences of their actions. At the very least, their intrusions soak up band width that I’m paying for and at the worst, they could gain access and use up minutes with the providers that I also pay for. Either way these a**holes are nothing but cheap crooks.
Ok you have their IP address and the time, you just contact their ISP and inform them, They Will(should) take action. or if you find its from a company/ institution contact them with the details.
A noble goal but not practical. If I took the time to do what you suggest, it would be a full time job. We see port scans going on 24/7 over the entire range of our address space.
I have found that reporting abuse is a waste of time. You never hear anything back from these people. It could be that they are too busy, but I think it has more to do with legal issues. The less they say, the less can be used against them if any legal action is ever taken.
I used to have a script that reported abuse and break in attempts, but ater months of dropping e-mail off into a black hole I gave up trying to get any results.
It may be they catch one of these clowns from time to time, but I’ll wager the IP addresses you report are of no use to the ISP because they don’t really know who was using the computer on that IP address, only that the attempted break in came from there. And again, I think they are too afraid of ticking off their paying customers to try and do anything.
Intruders suck big time. There is so much more to this than trying to figure out how to crack someone’s personal server.
Any competent ISP will be able to identify their customer given the IP address and an accurate, UTC, time. That’s unless they are dialing in anonymously, under a revenue sharing arrangement with the phone company, but most ISPs would insist on having caller ID, in that case.
Logging this sort of information is tending to become a legal requirement these days.
The problems you will get is that there are a small number of ISPs who deliberately market to less reputable users (although they would always deny this), and that most ISPs start off with the attitude that they are businessmen, not policemen, and therefore should not be expected to pay for policing their users.
Most ISPs in the latter category are eventually forced to take on the policing role, or risk losing real or effective connectivity.
I have found that servers based in reputable datacenters or ISPS will and do shut them down. You just have to provide the evidence and they are only too happy to shut it down
Some datacentres will monitor for this traffic and shut down the offending server automaticly.
Most datacenters do not want to have their IP blocks associated with spam or hacking attempts.