Security Attack Attempt

Hi All,

Sorry for the title, couldn’t think what else to call it, but I was checking our logs, and noticed about 1000+ attempts of someone trying to log onto our asterisk box using a SIP account. The log file shows the following (a short snippet!!!):

[Aug 11 20:23:35] NOTICE[1699] chan_sip.c: Registration from '"9841"<sip:9841@<<ipaddressremoved>>>' failed for '188.165.219.123' - No matching peer found [Aug 11 20:23:35] NOTICE[1699] chan_sip.c: Registration from '"9842"<sip:9842@<<ipaddressremoved>>>' failed for '188.165.219.123' - No matching peer found [Aug 11 20:23:35] NOTICE[1699] chan_sip.c: Registration from '"9843"<sip:9843@<<ipaddressremoved>>>' failed for '188.165.219.123' - No matching peer found [Aug 11 20:23:35] NOTICE[1699] chan_sip.c: Registration from '"9844"<sip:9844@<<ipaddressremoved>>>' failed for '188.165.219.123' - No matching peer found [Aug 11 20:23:35] NOTICE[1699] chan_sip.c: Registration from '"9845"<sip:9845@<<ipaddressremoved>>>' failed for '188.165.219.123' - No matching peer found [Aug 11 20:24:37] NOTICE[1699] chan_sip.c: Registration from '"218" <sip:218@<<ipaddressremoved>>>' failed for '188.165.219.123' - Wrong password [Aug 11 20:24:37] NOTICE[1699] chan_sip.c: Registration from '"218" <sip:218@<<ipaddressremoved>>>' failed for '188.165.219.123' - Wrong password [Aug 11 20:24:37] NOTICE[1699] chan_sip.c: Registration from '"218" <sip:218@<<ipaddressremoved>>>' failed for '188.165.219.123' - Wrong password [Aug 11 20:24:37] NOTICE[1699] chan_sip.c: Registration from '"218" <sip:218@<<ipaddressremoved>>>' failed for '188.165.219.123' - Wrong password

Luckily, I’m fairly certain they didn’t manage to logon, but I’m not a bit concerned about someone managing to break the passwords on our asterisk box, and thus make calls outbound. Can anyone recommend any action to take to stop any future attempts? We need to keep the port open to the internet, as a couple of users access from various places, depending on where they are, so that’s a no go. Just wondered if there was anything in asterisk that could pick up on security breach attempts, and block that user?

Many thanks
Nunners

Hi

Have you followed the security tips that digium provide and are posted on the forum EVERY time someone says they have been hacked.

here are a few entrys for your firewall
-A INPUT -p udp -m udp -s 82.77.0.0/16 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 89.114.153.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 109.253.228.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 85.91.4.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 67.202.34.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 184.73.3.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 79.117.27.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 184.154.1.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 87.106.249.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 109.253.151.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 109.123.0.0/16 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 188.161.0.0/16 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 195.178.182.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 77.68.57.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 85.18.119.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 78.39.175.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 66.79.180.0/24 --dport 5060 -j DROP
-A INPUT -p udp -m udp -s 212.143.0.0/16 --dport 5060 -j DROP

unless you are expecting connections from the 188. range might be worth dropping teh whole range now. as we are seeing more and more attacks from Palastine.

if you had 1000+ attemps then your sip.conf is not configured correctly and you need to add

alwaysauthreject=yes

This sysadminman.net/blog/2009/hackin … server-592 will explain what they were doing and why you need to set alwaysauthreject=yes

Ian