VoIP Mailing List Archives

[motty.cruz at gmail.com]

Hello All, my asterisk server is constantly under attack
[Apr  4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941@public_ip>' failed for '194.100.46.132[img]resource://skype_ff_extension-at-jetpack/skype_ff_extension/data/call_skype_logo.png[/img]194.100.46.132:56714' - Wrong password
[Apr  4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941@public_ip>' failed for '194.100.46.132[img]resource://skype_ff_extension-at-jetpack/skype_ff_extension/data/call_skype_logo.png[/img]194.100.46.132:56714' - Wrong password
[Apr  4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941@public_ip>' failed for '194.100.46.132[img]resource://skype_ff_extension-at-jetpack/skype_ff_extension/data/call_skype_logo.png[/img]194.100.46.132:56714' - Wrong password
[Apr  4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941@public_ip>' failed for '194.100.46.132[img]resource://skype_ff_extension-at-jetpack/skype_ff_extension/data/call_skype_logo.png[/img]194.100.46.132:56714' - Wrong password
[Apr  4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941@public_ip>' failed for '194.100.46.132[img]resource://skype_ff_extension-at-jetpack/skype_ff_extension/data/call_skype_logo.png[/img]194.100.46.132:56714' - Wrong password


is there a way to reject their registration after a three consecutive tries?



Thanks,

Call
Send SMS
Add to Skype
You'll need Skype CreditFree via Skype

[dtaylor at vocalabs.com]

I don't know what platform you are on, but if you are on Linux (and possibly BSD) you could use "fail2ban" to block them at the network interface.

On 04/04/2014 09:00 AM, motty cruz wrote:

[barryf-lists at flanag...]

On 4 April 2014 15:00, motty cruz <motty.cruz@gmail.com (motty.cruz@gmail.com)> wrote:

[raubvogel at gmail.com]

On Fri, Apr 4, 2014 at 10:05 AM, Daniel Taylor <dtaylor@vocalabs.com (dtaylor@vocalabs.com)> wrote:

[motty.cruz at gmail.com]

thank you all for your support. I am using Linux, I only have about 7 users outside our home network. I will learn fail2ban and will use it accordingly. 

again Thanks for your support. 



On Fri, Apr 4, 2014 at 7:09 AM, Mauricio Tavares <raubvogel@gmail.com (raubvogel@gmail.com)> wrote:

[mdupuis at ocg.ca]

Take a look a SecAst from www.generationd.com



It does everything fail2ban does and more, including blocking users by geography (we exclude all of Asia and Africa), detection of break-in patterns (even if someone guessed your un/pw), detect changes in dial rates, etc.



Grab the free version - its a BIG step up from fail2ban.



-=Michelle=-​

All opions posted are my person ones. And personnally I like generationd products because I work for them


From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of motty cruz <motty.cruz@gmail.com>
Sent: Friday, April 4, 2014 10:00 AM
To: Asterisk Users List
Subject: [asterisk-users] Asterisk 1.6

Hello All, my asterisk server is constantly under attack
[Apr 4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941@public_ip>' failed for '194.100.46.132[img]/owa/[/img]194.100.46.132:56714' - Wrong password
[Apr 4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941@public_ip>' failed for '194.100.46.132[img]/owa/[/img]194.100.46.132:56714' - Wrong password
[Apr 4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941@public_ip>' failed for '194.100.46.132[img]/owa/[/img]194.100.46.132:56714' - Wrong password
[Apr 4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941@public_ip>' failed for '194.100.46.132[img]/owa/[/img]194.100.46.132:56714' - Wrong password
[Apr 4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941@public_ip>' failed for '194.100.46.132[img]/owa/[/img]194.100.46.132:56714' - Wrong password


is there a way to reject their registration after a three consecutive tries?



Thanks,

Call
Send SMS
Add to Skype
You'll need Skype CreditFree via Skype

[asterisk_list at earth...]

On Friday 04 Apr 2014, Michelle Dupuis wrote:

[mdupuis at ocg.ca]

What you are saying is only open source software is safe? You have just excluded most software in use in the business world.

We have installed Norton antivirus on all of our workstation; I don't think Symantec will ever release the source code (since that would also show attackers how to get around it). Using the same logic releasing SecAst source would also seem foolish (and make it impossible for any commercial enterprise to sell software).

I understand your point of view, and if your preference is to only use open source software that's great. However, that doesn't mean precompiled software is inherently dangerous or malevolent.

-=Michelle=-
________________________________________
From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of A J Stiles <asterisk_list@earthshod.co.uk>
Sent: Friday, April 4, 2014 10:38 AM
To: Asterisk Users List
Subject: Re: [asterisk-users] Asterisk 1.6

On Friday 04 Apr 2014, Michelle Dupuis wrote:

[motty.cruz at gmail.com]

absolutely right A J, thanks for the heads up. I do not intent to implement that solution in production server, I hope to learn it first, build a test server and monitor for a few days or weeks. 


Thanks again, 



On Fri, Apr 4, 2014 at 7:38 AM, A J Stiles <asterisk_list@earthshod.co.uk (asterisk_list@earthshod.co.uk)> wrote:

[ish at pack-net.co.uk]

On 4 April 2014 15:22, motty cruz <motty.cruz@gmail.com (motty.cruz@gmail.com)> wrote:

[motty.cruz at gmail.com]

Hello Ishfaq, outside users usually travel around the country and connect from different network, so it won't be possible to lock it down to specific IP. 

Thanks for your support. 



On Fri, Apr 4, 2014 at 8:03 AM, Ishfaq Malik <ish@pack-net.co.uk (ish@pack-net.co.uk)> wrote:

[ish at pack-net.co.uk]

Well in that case fail2ban gets my vote.


On 4 April 2014 16:15, motty cruz <motty.cruz@gmail.com (motty.cruz@gmail.com)> wrote:

[mdupuis at ocg.ca]

If you know your users are all from with your country, or state, or even city, you could restrict geographic access in your secast.conf file like this:



ruledefault=deny
ruleexceptions=NA:CA:Ontario:|NA:US:Michigan:Detroit|::Ohio:|NA


The above would:
- By default deny all source IP's anywhere in the world
- Let in only source IP's from:
1. North America (continent), Canada (country), Ontario (region)
2. North America (continent), USA (country), Michigan (region), Detroit (city)
3. Any region called 'Ohio' anywhere in the world (not sure why you would do that but fun example)
4. Anywhere in North America


So you can open up your system based solely on where you know your real users are located.



-=Michelle=-


From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of motty cruz <motty.cruz@gmail.com>
Sent: Friday, April 4, 2014 11:15 AM
To: Asterisk Users List
Subject: Re: [asterisk-users] Asterisk 1.6

Hello Ishfaq, outside users usually travel around the country and connect from different network, so it won't be possible to lock it down to specific IP.

Thanks for your support.



On Fri, Apr 4, 2014 at 8:03 AM, Ishfaq Malik <ish@pack-net.co.uk (ish@pack-net.co.uk)> wrote:

[millennium.bug at gmai...]

Use allowguest=no
And define ACLs for every SIP account.
And obviously, fail2ban for blocking suspicious IPs.

[motty.cruz at gmail.com]

that sounds feasible, Thanks Michelle, 






On Fri, Apr 4, 2014 at 8:25 AM, Michelle Dupuis <mdupuis@ocg.ca (mdupuis@ocg.ca)> wrote: