VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
binni at binni.eu
Guest
|
 Posted: Thu Feb 20, 2014 6:28 am Post subject: [asterisk-users] Hacking attempt, Asterisk 1.4 |
 |
|
Hi all
We have an Asterisk server that’s been running for a few years now without problems. We have IPTables running, as well as fail2ban and have followed all the security recommendations we have found.
Every few weeks we get an attack that lasts about a minute or two, resulting in our AGI script being overloaded.
What happens is that somebody seems to be trying to connect from our server – in my cdrs log I can see that they use a four digit number for source, destination and caller id, e.g.
clid: 7321
src: 7321
dst: 7321
channel: SIP/xx.xx.xx.xx-aaaaaaaa
xx.xx.xx.xx is our server IP. When one of our registered users makes a call the channel is SIP/yyyyyyyy-aaaaaaaa where yyyyyyyy is the SIP user ID.
So it looks like a SIP phone trying to call itself, using our Asterisk server IP as SIP user name.
Within a couple of minutes the attacker seems to go through some 10000 attempts, resulting in our AGI script collapsing from the load. My Asterisk full log shows something like:
-- Executing [7321@sip:1] Answer("SIP/xx.xx.xx.xx-b0828f20", "") in new stack
-- Executing [7321@sip:2] AGI("SIP/ xx.xx.xx.xx -b0828f20", "agi:// xx.xx.xx.xx ") in new stack
-- Executing [7321@sip:3] Hangup("SIP/ xx.xx.xx.xx -b6130f70", "") in new stack
== Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/ xx.xx.xx.xx -b6130f70'
| Quote: | cdr_odbc: Query Successful!
|
-- AGI Script agi:// xx.xx.xx.xx completed, returning 0
Our AGI script refuses to call “illegal” numbers, while our Asterisk dialplan is a bit more accommodating, mostly because I have had problems figuring out the order in which to put the various rules (I might have another look at that!)
Does anybody know how to stop this from happening – I can’t find the attackers IP number in my logs, and these attacks happen infrequently, and are over quickly, so that I haven’t had an opportunity to run sip debug during an attack, and I don’t want to have it running all the time.
Best regards
Binni
Brynjólfur Þorvarðsson
IT Consultant
Tlf. +45 88321688 |
|
| Back to top |
|
 |
asterisk_list at earth...
Guest
|
| Posted: Thu Feb 20, 2014 7:07 am Post subject: [asterisk-users] Hacking attempt, Asterisk 1.4 |
|
|
On Thursday 20 Feb 2014, Brynjolfur Thorvardsson wrote:
| Quote: | Every few weeks we get an attack that lasts about a minute or two,
resulting in our AGI script being overloaded.
What happens is that somebody seems to be trying to connect from our server
– in my cdrs log I can see that they use a four digit number for source,
destination and caller id, e.g.
clid: 7321
src: 7321
dst: 7321
channel: SIP/xx.xx.xx.xx-aaaaaaaa
|
Assuming that it's the AGI script that is the bottleneck, how about simply
checking in the dialplan that the ${CALLERID(num)} is different from ${EXTEN}
before executing the AGI script?
--
AJS
Answers come *after* questions.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
mailinglist+asterisk a...
Guest
|
| Posted: Thu Feb 20, 2014 7:28 am Post subject: [asterisk-users] Hacking attempt, Asterisk 1.4 |
|
|
On 20/02/14 11:27, Brynjolfur Thorvardsson wrote: | Quote: | <![endif]--> <![endif]-->
Hi all
We have an Asterisk server that’s been running for a few years now without problems. We have IPTables running, as well as fail2ban and have followed all the security recommendations we have found.
Every few weeks we get an attack that lasts about a minute or two, resulting in our AGI script being overloaded.
What happens is that somebody seems to be trying to connect from our server – in my cdrs log I can see that they use a four digit number for source, destination and caller id, e.g.
clid: 7321
src: 7321
dst: 7321
channel: SIP/xx.xx.xx.xx-aaaaaaaa
xx.xx.xx.xx is our server IP. When one of our registered users makes a call the channel is SIP/yyyyyyyy-aaaaaaaa where yyyyyyyy is the SIP user ID.
So it looks like a SIP phone trying to call itself, using our Asterisk server IP as SIP user name.
Within a couple of minutes the attacker seems to go through some 10000 attempts, resulting in our AGI script collapsing from the load. My Asterisk full log shows something like:
-- Executing [7321@[url=sip:1]sip:1[/url]] Answer("SIP/xx.xx.xx.xx-b0828f20", "") in new stack
-- Executing [7321@[url=sip:2]sip:2[/url]] AGI("SIP/ xx.xx.xx.xx -b0828f20", "agi:// xx.xx.xx.xx ") in new stack
-- Executing [7321@[url=sip:3]sip:3[/url]] Hangup("SIP/ xx.xx.xx.xx -b6130f70", "") in new stack
== Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/ xx.xx.xx.xx -b6130f70'
| Quote: | cdr_odbc: Query Successful!
|
-- AGI Script agi:// xx.xx.xx.xx completed, returning 0
Our AGI script refuses to call “illegal” numbers, while our Asterisk dialplan is a bit more accommodating, mostly because I have had problems figuring out the order in which to put the various rules (I might have another look at that!)
Does anybody know how to stop this from happening – I can’t find the attackers IP number in my logs, and these attacks happen infrequently, and are over quickly, so that I haven’t had an opportunity to run sip debug during an attack, and I don’t want to have it running all the time.
Best regards
Binni
Brynjólfur Þorvarðsson
IT Consultant
Tlf. +45 88321688
|
I have this in my extensions.conf :-
[default]
; all unauthenticated connection attempts from the internet come in here.
exten => _[+*#0-9].,1,NoOp(Unauthenticated call attempt - ${SIP_HEADER(Contact)})
exten => _[+*#0-9].,n,Congestion
Then in fail2ban I have the extra line added to the failregex so it is now :-
failregex = Registration from .* failed for \'<HOST>\' - Wrong password
Registration from .* failed for \'<HOST>\' - No matching
Unauthenticated call attempt .*\@<HOST>\:
That seems to work pretty well for me. Assuming the attacks are unauthenticated why are you accepting them and running an AGI script and not rejecting them earlier?
If you need to allow anonymous inbound calls (which is required in some cases) then I would have the AGI detect them and write an output to verbose() with the SIP_HEADER(Contact) or any other header which correctly indicated the origin of the packet. |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
