Security - Blocking IPs of SIP hackers!

Asterisk Asterisk Support
1

Hi All,
This is a security related post regarding SIP hackers IPs addresses.

I don’t know if the community has a facility where admins can report IPs that were trying to SIP hack their systems or not(??) but if not I do recommend creating one.

I have been operating a couple of asterisk systems in the past few years, more or less no big security incident, but in the past year or so there was an increase in the number of SIP hacking attacks, these are mostly in the form of incoming anonymous/unknown SIP connections which often can be defeated by a (security wise) properly configured asterisk (read more on the net if you are new).

These attacks often been logged as: “… Warning, Rejecting unknown SIP Connection From xxx.xxx.xxx.xxx …” in the asterisk logs.

_How to check: _
cd /var/log/asterisk
grep “Rejecting unknown SIP Connection From” full > Rejected_IPs.txt

I have made a list of my own & blocked them by firewall, but like I said it would be very beneficial for all admins to share & report such IP addresses so others can block them too.

IP addresses which tried to hack my system since mid-2015:
23.92.94.65
62.210.245.3
79.143.80.218
23.239.78.146
188.138.33.150
37.8.7.136
23.92.80.23
192.187.122.122
212.129.39.50
192.187.124.147
107.155.137.66
85.25.201.206
23.239.65.188
10.1.2.108
23.239.89.140
89.163.242.120
188.165.195.17
89.163.146.184
46.20.46.45
89.163.146.68
209.126.116.144
188.138.1.17
185.40.4.67
204.12.240.58
172.86.180.98
195.154.181.16
89.163.222.80
89.163.148.106
85.195.95.242
89.163.146.93
138.68.58.126
89.163.242.73
89.163.148.171
23.239.86.243
91.121.156.215
192.162.101.50
5.39.85.24
46.20.46.8
89.163.146.164
89.163.242.222
89.163.242.84
89.163.144.254
37.8.50.28
195.154.22.192
213.202.233.72
52.204.200.107
188.138.75.199
185.40.4.204
45.55.219.114
209.126.122.86
45.32.52.194
209.222.30.160
207.166.133.143
194.63.142.71
115.160.226.18
207.166.132.73
202.177.240.134
91.239.156.55
85.195.95.247
82.205.1.133
78.31.67.19
89.163.148.238
89.163.146.32
95.141.35.15
93.104.214.200
185.20.99.2
213.202.233.47
89.163.242.242
62.141.35.212
89.163.242.106
37.187.164.39
62.210.177.9
89.163.242.243
146.0.32.171
89.163.222.79
193.111.141.200
199.48.164.135
78.31.67.203
188.165.208.166
185.40.4.119
162.252.190.101
89.163.146.171

P.S. if you are using CentOS 7 you can use firewalld command to permanently drop the packets from these IPs.
i.e:
firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“xxx.xxx.xxx.xxx” reject’
and at the end restart firewall service:
systemctl restart firewalld

Hope it helps,
Cheers,
Seyed

2

Hi
After I block a IP, I am getting calls by that IP.

3

please more info config files console files etc

4

Hi I will post it. Before that like to know
after making rule in firewall. will asterisk override the rule causing any of the config?

5

no if configured correctly did you reload iptables ? fail2ban set up properly you might try to add GeoIP/Fail2Ban

6

Yes, I configured correctly and reload it as well. the same rule works for TCP connection such as ssh!
what needed to do by that? I will look on that :slight_smile:

if you have any reference please share.

Thank you.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.