IP addresses known hacking and phone numbers

flubber · May 23, 2019, 9:19am

Hello,
i want to ask if the internet addresses that are trying to hack up services on sip VoIP, asterisk, are publicly available. I need a file that describes the phones and internet addresses that are trying to hack a particular asterisk, PBX phone central.

or if I want to have up to these internet addresses and phones I have to snap up to provide me with the file?

10x

jcolp · May 23, 2019, 11:47am

If you are asking if there is a built in mechanism to store the IP addresses and other information for what is trying to use your Asterisk, there isn’t one out of the box. All of the information is there but you would have to write something to extract and store it.

flubber · May 23, 2019, 12:34pm

I know that in asterisk there is no such option,
my question was whether someone had collected such IP addresses who are trying to hack the PBX
also fake phone numbers?

10х

flubber · May 23, 2019, 1:36pm

I give an example with several IP-address

DROP       all  --  163-172-61-0.rev.poneytelecom.eu/24  anywhere
DROP       all  --  188.161.170.0/24     anywhere
DROP       all  --  104.149.141.0/24     anywhere
DROP       all  --  5.62.20.0/24         anywhere
DROP       all  --  185.212.202.0/24     anywhere
DROP       all  --  188.214.30.0/24      anywhere
DROP       all  --  102.165.32.0/24      anywhere
DROP       all  --  102.165.49.0/24      anywhere
DROP       all  --  102.165.37.0/24      anywhere
DROP       all  --  212-83-146-0.rev.poneytelecom.eu/24  anywhere
DROP       all  --  102.165.35.0/24      anywhere
DROP       all  --  185.40.4.0/24        anywhere

I hope I have not violated the forum’s rights.

david551 · May 23, 2019, 1:51pm

Do you actually require a black list? Many systems only really need a small white list.

I think the only static blocks people would normally put on whould be basically countrywide, e.g. Palestine, and, at a guess, North Korea, although there are other countries where telephone fraud is common.

flubber · May 23, 2019, 1:58pm

I want this blacklist to get it into the database and can not connect these URLs to port 5060/5061
I want to block the internet addresses that are trying to break through the PBX,to make a blacklist

david551 · May 23, 2019, 2:22pm

After blocking known problem countries, most people would use fail2ban to dynamically block new source addresses.

EkFudrek · May 23, 2019, 5:24pm

It depends. I prefer to allow VoIP connections only for the service provider. Even if they do not publish a list of their IPs, it doesn’t take too much time to guess what they have. Additionally I maintain a list of frequent attackers (usually about 100 entries adding up to perhaps 10.000 IPs), such that they do not show up in my “default deny log” any more, i.e. it is easier to detect new ones.

Of course, if “guests” are allowed, it is getting more difficult. I neither like Fail2Ban nor geo filtering.

BTW, if you get attacked by NK the IP can usually be located in India…

system · June 22, 2019, 5:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.