Defending from an attack

rg25 · July 10, 2015, 12:39am

I have noticed that someone tried to call a long distance number. I have turned off allowguest. Does the log, below, suggest the attacker successfully registered as user 1001?

[Jul 9 19:56:16] NOTICE[27785][C-00000031] chan_sip.c: Call from ‘1001’ (88.150.240.85:5070) to extension ‘011441204894589’ rejected because extension not found in context ‘ld2-users’.
[Jul 9 19:56:22] WARNING[27785] chan_sip.c: Retransmission timeout reached on transmission 71673ef1bc9058e0933f20e48435093c for seqno 1 (Critical Response) – See wiki.asterisk.org/wiki/display/ … nsmissions
Packet timed out after 6400ms with no response
[Jul 9 19:56:30] NOTICE[27785][C-00000032] chan_sip.c: Call from ‘1001’ (88.150.240.85:5070) to extension ‘9011441204894589’ rejected because extension not found in context ‘ld2-users’.
[Jul 9 19:56:36] WARNING[27785] chan_sip.c: Retransmission timeout reached on transmission 8085339b528605d2052068ad84c8a1a4 for seqno 1 (Critical Response) – See wiki.asterisk.org/wiki/display/ … nsmissions
Packet timed out after 6399ms with no response
[Jul 9 19:56:44] NOTICE[27785][C-00000033] chan_sip.c: Call from ‘1001’ (88.150.240.85:5070) to extension ‘8011441204894589’ rejected because extension not found in context ‘ld2-users’.
[Jul 9 19:56:51] WARNING[27785] chan_sip.c: Retransmission timeout reached on transmission f1b9cc40cef08014bdb5e6a1b2f959c4 for seqno 1 (Critical Response) – See wiki.asterisk.org/wiki/display/ … nsmissions
Packet timed out after 6399ms with no response
[Jul 9 20:26:24] NOTICE[27785][C-000000b0] chan_sip.c: Call from ‘1001’ (88.150.240.85:5071) to extension ‘011441204894589’ rejected because extension not found in context ‘ld2-users’.

ambiorixg12 · July 10, 2015, 6:20am

you should disallow guest calls in your sip.conf file

rg25 · July 10, 2015, 12:10pm

I did.

striker24x7 · July 13, 2015, 2:24pm

put alwaysauthreject=yes in sip.conf

and change your sip passwords ( alpha numeric ,non dictonary words)
to avoid this attack

there are lot of ways to protect the asterisk sip server

proper firewall
fail2ban
linux iptables.

david55 · July 17, 2015, 9:40am

fail2ban works by manipulating iptables, so is not an alternative.

mohammadghazaev · October 6, 2015, 10:49pm

If possible, restrict the IP address ranges from which SIP clients are allowed to connect. If this is deployed in an office, restrict connections to port 5060 to IP addresses within the locations(s) where the phones are located. If you must accept connections from Internet addresses not within your control, consider blocking country-specific IP address ranges.

Do not use the SIP extension number as the username. If your SIP clients support it, give them all names instead.

Set strong passwords for all SIP extensions. This should be obvious, but isn’t always so.

From reading the logs attached to your previous question, I was able to determine that you had a SIP extension defined with the username 1, with a secret so easy to guess that the attacker got it correct on the first attempt. The extension probably had no secret defined at all.

Use alwaysauthreject=yes in sip.conf. This prevents attackers from being able to determine if a SIP extension exists via brute force.

Use allowguest=no in sip.conf. This prevents unauthenticated clients from making calls.