I was going to post something about this a few days ago. It appears the sip scans are increasing. A few servers I control have been scanned recently from multiple IP addresses. The automated one’s I’ve seen are using sipvicious from looking at the user agent of “Friendly Scanner” (Sipvicious).
Basically what they are doing is scanning netblocks for sip servers (Using svmap), then initiating extension probes against those servers (Using svwar). Once they have a listing of extensions they can connect to, they try to brute force some of them until they get a successful connection (Using svcrack). They use those registrations to generate automated calls asking people to enter their credit card number for validation purposes or something similar for some sort of scam. So there is a huge monetary incentive for these people to exploit it.
How do you stop it?
[ul]1. Scan yourself with the tools they use and see if you have a weakness or an extension set up incorrectly.
2. If you can, stop accepting SIP incoming from anything other than your providers/phones. This may not be possible if you have roaming extensions with softphones etc. Possibly change the default SIP port to something else.
3. Make sure your sip secrets are strong. Do not have the extension/password be the same, do not have them be simple short numeric only passwords. The longer the password the better. Choose the passwords as you would choose shell passwords.
4. Implement log monitoring to catch/ban them in the process. One of my clients wrote up a quick how to in the voip-info wiki here: voip-info.org/wiki/view/Fail … 2BAsterisk
5. Set up an Intrusion Detection System (IDS) to detect the scans and act on them. Snort is a good option here.[/ul]
Few other notes… If you use Polycom phones and have the ftp server exposed to the internet for configuration, do not, i repeat do not, keep the default ftp password. Not only does it give them free access to your sip authentication it may, if that account also allows shell access, give them the ability to use that machine to send spam.