Asterisk under attack?

apfelmann · May 10, 2014, 3:56pm

Hi,

I see constant register requests in my console log:

[May 10 17:50:57] NOTICE[3502]: chan_sip.c:23522 handle_response_peerpoke: Peer 'GUS_iphone' is now Reachable. (830ms / 2000ms) [May 10 17:51:37] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"gren" <sip:gren@62.141.36.61:5060>' failed for '37.8.16.215:5060' - Wrong password [May 10 17:53:07] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"charleen" <sip:charleen@62.141.36.61:5060>' failed for '37.8.16.215:10003' - Wrong password [May 10 17:54:01] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '<sip:SCHWEIZ_FRITZ@s1.grefrath-strategen.de>' failed for '92.50.92.73:5060' - Wrong password [May 10 17:54:01] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '<sip:SCHWEIZ_FRITZ@s1.grefrath-strategen.de>' failed for '92.50.92.73:5060' - Wrong password [May 10 17:54:01] NOTICE[2971]: chan_sip.c:27783 handle_request_subscribe: Received SIP subscribe for peer without mailbox: GUS_FRITZ [May 10 17:54:11] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '<sip:SCHWEIZ_FRITZ@s1.grefrath-strategen.de>' failed for '92.50.92.73:5060' - Wrong password [May 10 17:54:11] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '<sip:SCHWEIZ_FRITZ@s1.grefrath-strategen.de>' failed for '92.50.92.73:5060' - Wrong password [May 10 17:54:31] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '<sip:SCHWEIZ_FRITZ@s1.grefrath-strategen.de>' failed for '92.50.92.73:5060' - Wrong password [May 10 17:54:31] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '<sip:SCHWEIZ_FRITZ@s1.grefrath-strategen.de>' failed for '92.50.92.73:5060' - Wrong password [May 10 17:54:38] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"nitto(r)" <sip:nitto(r)@62.141.36.61:5060>' failed for '37.8.16.215:10040' - Wrong password [May 10 17:54:47] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"lifttube" <sip:lifttube@62.141.36.61:5060>' failed for '37.8.16.215:10004' - Wrong password [May 10 17:54:48] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"bela" <sip:bela@62.141.36.61:5060>' failed for '37.8.16.215:10013' - Wrong password [May 10 17:54:49] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"nova" <sip:nova@62.141.36.61:5060>' failed for '37.8.16.215:10003' - Wrong password [May 10 17:54:59] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"cush" <sip:cush@62.141.36.61:5060>' failed for '37.8.16.215:10009' - Wrong password [May 10 17:55:10] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"berg" <sip:berg@62.141.36.61:5060>' failed for '37.8.16.215:10014' - Wrong password [May 10 17:55:10] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"transits" <sip:transits@62.141.36.61:5060>' failed for '37.8.16.215:10018' - Wrong password [May 10 17:55:11] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '<sip:SCHWEIZ_FRITZ@s1.grefrath-strategen.de>' failed for '92.50.92.73:5060' - Wrong password [May 10 17:55:11] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '<sip:SCHWEIZ_FRITZ@s1.grefrath-strategen.de>' failed for '92.50.92.73:5060' - Wrong password [May 10 17:55:28] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"vagi" <sip:vagi@62.141.36.61:5060>' failed for '37.8.16.215:10020' - Wrong password [May 10 17:55:35] NOTICE[2971]: chan_sip.c:28003 handle_request_register: Registration from '"sunbake" <sip:sunbake@62.141.36.61:5060>' failed for '37.8.16.215:10036' - Wrong password

What does that mean and how to avoid that?

david55 · May 10, 2014, 8:27pm

What do you think it means. Nearly all the messages are quite clear. Actually the range of user names used looks more like user errors than an attack.

Do not let port 5060 reach Asterisk from the internet if you don’t want to be attacked.

What is a bit worrying is the message about voice mail. That suggests a registration was successful. If these are not misconfigured local users, you may have a weak password.

ambiorixg12 · May 11, 2014, 2:34am

IPTABLES, Strong password and read the svn.digium.com/svn/asterisk/bran … ctices.txt

gfesj · May 12, 2014, 8:58pm

Hi, I had this problem some months ago. I had to install and run Fail2Ban on to put the IP to block the IPs who try to get access to my asterisk. This is a brute force attack, based on the users/password dictionary.

Fail2Ban helps us to see these attacks and insert automated firewall rules to block them.

Yes this kind of approach not solve the problem, just is a counter measure to block the IP attackers.

The attacker use the process to scan network to know ports to attack, like 22, 5060, 443, etc… When the attacker see the IP and OPEN ports, they start the attack, based on the service port. Is not the problem from SIP Ports but all known service ports.

In my instalation to prevent and solve the problem I had to change the SIP port from 5060 to other number port (ex. 10567). I used this approach solve my problem, because I can change to my SIP configurations files from the clients, and the attacker can not see the “know” OPEN service port. This is not the best approach, but solve my problem.

Also a set other 2 counter measure to help improve the security of my instalation. These are done in sip.conf file.

A) Set permit= and deny= to restrict the IPs range to gain access to my asterisk.

B) Set alwaysauthreject=yes . This option will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers have the ability to detect existing extensions with brute-force guessing attacks, as we mention above.

Regards

Gerald