Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[asterisk-users] Attack on Sip server.

Goto page Previous  1, 2
 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users
View previous topic :: View next topic  
Author Message
anuragrana31189 at gma...
Guest





PostPosted: Fri Jun 27, 2014 12:15 pm    Post subject: [asterisk-users] Attack on Sip server. Reply with quote

Can't use anything which block IP addresses because my system is behind a gateway and attacker gets the address of that gateway. In this way I will end up blocking myself. 


Please suggest something else.



On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
Quote:
Right Mitul. System is behind some gateway.



On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul@enterux.in (mitul@enterux.in)> wrote:


Quote:

I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZ  IP of your firewall / gateway box.
Fix this first to get fail2ban detect the correct public IP.
Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh.
Hope u know how to fix the firewall snat. 
Mitul On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi@didforsale.com (jprangi@didforsale.com)> wrote:

Quote:
Anurag,


Here is small script, that will check your logs and will block the IPs.

http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack


This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP.


Jai Rangi

www.didforslae.com






On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
Quote:

Hi All.


Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. 
I used wireshark to capture the packets.


Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.


I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. 


Quote:
iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP



​Its something like this


Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​


​and there are approx 10 request per minute of this type.


Please suggest some way to stop this.​




--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.






--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users






--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.









--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
Back to top
mitul at enterux.in
Guest





PostPosted: Fri Jun 27, 2014 12:35 pm    Post subject: [asterisk-users] Attack on Sip server. Reply with quote

No way out. Fix ur gateway which is masquerading out to in traffic.
And do some research as others mentioned instead of expecting quick fix.
Mitul On 27-Jun-2014 10:45 PM, "Anurag Rana" <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
Quote:
Can't use anything which block IP addresses because my system is behind a gateway and attacker gets the address of that gateway. In this way I will end up blocking myself. 


Please suggest something else.



On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
Quote:
Right Mitul. System is behind some gateway.



On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul@enterux.in (mitul@enterux.in)> wrote:


Quote:

I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZ  IP of your firewall / gateway box.
Fix this first to get fail2ban detect the correct public IP.
Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh.
Hope u know how to fix the firewall snat. 
Mitul On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi@didforsale.com (jprangi@didforsale.com)> wrote:

Quote:
Anurag,


Here is small script, that will check your logs and will block the IPs.

http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack


This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP.


Jai Rangi

www.didforslae.com






On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
Quote:

Hi All.


Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. 
I used wireshark to capture the packets.


Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.


I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. 


Quote:
iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP



​Its something like this


Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​


​and there are approx 10 request per minute of this type.


Please suggest some way to stop this.​




--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.






--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users






--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.









--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.






--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
anuragrana31189 at gma...
Guest





PostPosted: Fri Jun 27, 2014 12:44 pm    Post subject: [asterisk-users] Attack on Sip server. Reply with quote

Ok. Thanks. Smile



On Fri, Jun 27, 2014 at 11:05 PM, Mitul Limbani <mitul@enterux.in (mitul@enterux.in)> wrote:
Quote:

No way out. Fix ur gateway which is masquerading out to in traffic.
And do some research as others mentioned instead of expecting quick fix.
Mitul On 27-Jun-2014 10:45 PM, "Anurag Rana" <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:

Quote:
Can't use anything which block IP addresses because my system is behind a gateway and attacker gets the address of that gateway. In this way I will end up blocking myself. 


Please suggest something else.



On Fri, Jun 27, 2014 at 10:24 PM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
Quote:
Right Mitul. System is behind some gateway.



On Fri, Jun 27, 2014 at 10:06 PM, Mitul Limbani <mitul@enterux.in (mitul@enterux.in)> wrote:


Quote:

I think your asterisk server is behind firewall or some sort of NAT where the out to in packets are getting masqueraded with local or DMZ  IP of your firewall / gateway box.
Fix this first to get fail2ban detect the correct public IP.
Otherwise fail2ban will ban your local GW IP due to which you won't be able to access the box even from your local network for ssh.
Hope u know how to fix the firewall snat. 
Mitul On 27-Jun-2014 9:51 PM, "Jai Rangi" <jprangi@didforsale.com (jprangi@didforsale.com)> wrote:

Quote:
Anurag,


Here is small script, that will check your logs and will block the IPs.

http://www.didforsale.com/blog/is-your-asterisk-system-under-heavy-attack


This is good if you dont expect any registration. If you do have some valid registration, you might want to add some counter to see how time IP need to fail or how many different users IP is trying to register on before blocking the IP.


Jai Rangi

www.didforslae.com






On Fri, Jun 27, 2014 at 7:37 AM, Anurag Rana <anuragrana31189@gmail.com (anuragrana31189@gmail.com)> wrote:
Quote:

Hi All.


Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address. 
I used wireshark to capture the packets.


Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.


I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in. 


Quote:
iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP



​Its something like this


Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​


​and there are approx 10 request per minute of this type.


Please suggest some way to stop this.​




--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.






--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users






--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.









--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.








--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users




--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
Back to top
asterisk.org at sedwar...
Guest





PostPosted: Fri Jun 27, 2014 1:22 pm    Post subject: [asterisk-users] Attack on Sip server. Reply with quote

Please don't top-post.

Please trim posts to the specific post you are replying to.

On Fri, 27 Jun 2014, Anurag Rana wrote:

Quote:
Can't use anything which block IP addresses because my system is behind
a gateway and attacker gets the address of that gateway. In this way I
will end up blocking myself. 

Please suggest something else.

The most effective approach would be to configure your gateway to block
all IP addresses and white-list the ones you really need.

If you are in control of the endpoints, moving to a non-standard SIP port
as previously suggested should be pretty effective. Most script-kiddies
won't bother to 'port-scan' to identify the new port number.

--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards sedwards@sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
mdupuis at ocg.ca
Guest





PostPosted: Sun Jun 29, 2014 9:16 am    Post subject: [asterisk-users] Attack on Sip server. Reply with quote

If you have a small Asterisk installation install the free version of SecAst:

[url=http://www.voip-info.org/wiki/view/SecAst+(Asterisk+Intrusion+Detection+and+Prevention)]http://www.voip-info.org/wiki/view/SecAst+(Asterisk+Intrusion+Detection+and+Prevention)[/url]



For general Asterisk security info check this out:

http://www.voip-info.org/wiki/view/Asterisk+security



-=Michelle=-


All opinions posted are my own, and do not necessarily reflect those of my employer. As an employee of GenerationD my opions are serious biased Smile


From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of Anurag Rana <anuragrana31189@gmail.com>
Sent: Friday, June 27, 2014 10:49 AM
To: Prakash N
Cc: Asterisk Users List
Subject: Re: [asterisk-users] Attack on Sip server.

I added bot rules TCP as well as UDP. Still not working.


How changing SIP listen port will prevent it. Please explain.


I will try fail2band.



On Fri, Jun 27, 2014 at 8:16 PM, Prakash N <prakash.n@tevatel.com (prakash.n@tevatel.com)> wrote:
Quote:
Hi,

Install fail2band and change sip listen port to avoid attack

With regards

N.Prakash

From: Anurag Rana (anuragrana31189@gmail.com)
Sent: ‎27-‎06-‎2014 08:07 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion (asterisk-users@lists.digium.com)
Subject: [asterisk-users] Attack on Sip server.




Hi All.


Someone is attacking on my SIP server.
There are lot of requests coming in and I am not able to stop it because I am unable to detect the IP address.
I used wireshark to capture the packets.


Although I am using very strong password for my SIP users but still is there any way to drop these packets and stop this attack.


I tried dropping packet after matching some string (most of the packets from attacker contains string 'VaxSIPUserAgent/3.1' ) but it failed. Packets are still flowing in.


Quote:
iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP



​Its something like this


Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​


​and there are approx 10 request per minute of this type.


Please suggest some way to stop this.​




--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.











--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.
Back to top
andres at telesip.net
Guest





PostPosted: Sun Jun 29, 2014 7:09 pm    Post subject: [asterisk-users] Attack on Sip server. Reply with quote

Quote:
Quote:
iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP



​Its something like this


Registration from '"30" <sp:30@my_public_ip:5060> failed for '192.168.xxx.xxx:6373' - Wrong Password​


​and there are approx 10 request per minute of this type.


Please suggest some way to stop this.​


In my experience you need to do 2 things to fix your problem.

#1) Get the real IP address of the attacker.
First you will need to recompile Asterisk to enable the log that shows the IP of the attacker. It apparently is only set for debug so you need to edit chan_sip.c

In chan_sip.c

if (!peer) {
if (debug) *** <--- delete this line
ast_verbose("No matching peer for '%s' from '%s'\n",
of, ast_sockaddr_stringify(&p->recv));
} *** <--- delete this line



This will enable logs like:
VERBOSE[24693] chan_sip.c: No matching peer for '1000' from '104.14.190.14:5080

#2) Now that you have the IP of the attacker, just use fail2ban to block him automatically. Make sure you test out your rules. For example the above log is detected with fail2ban rule:
VERBOSE%(__pid_re)s [^:]+: No matching peer for '[^']*' from '<HOST>(:[0-9]+)?'$



Quote:




--
Anurag Rana
http://newbie42.blogspot.in/
On the trampoline of life's experiences, Striving towards a saintly life in the midst of these materialistic turbulences.







--
Technical Support
http://www.cellroute.net
Back to top
asterisk at a-domani.nl
Guest





PostPosted: Tue Jul 01, 2014 4:53 pm    Post subject: [asterisk-users] Attack on Sip server. Reply with quote

On Fri, 2014-06-27 at 22:24 +0530, Anurag Rana wrote:

Quote:

iptables -I INPUT 1 -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm -j DROP


You make a fundamental mistake here.
Firewalls (both inline and hostbased) should drop everything by default.
And you should specifically accept what you are expecting and capable of
handling. Not the other way round.

Above rule is something like:
The front door is locked between 9:30 AM and 10:15 AM, as you expect
burgers to come to your house.


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users All times are GMT - 5 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services