VoIP Mailing List Archives

[motty.cruz at gmail.com]

Hi All, 
I see this kind of attack on our Asterisk Server, do you know how to block that IP? 


[Sep  4 07:41:06] NOTICE[7375]: chan_sip.c:23375 handle_request_invite: Call from '' (213.136.81.166:9306) to extension '34422' rejected because extension not found in context 'default'.


Thanks in advance, 
-Motty

[patrick at laimbock.com]

On 04-09-14 16:44, motty cruz wrote:

[tg at ovm-group.com]

Am 04.09.2014 16:44, schrieb motty cruz:

[motty.cruz at gmail.com]

Thanks, looks like fail2ban is the way to go, I would prefer a different alternatives if there is one. I tried deny=IP/netmask but did not work for me, in sip.conf. seems like fail2ban is what you all are using, so I will give it a try. 

Thanks, 




On Thu, Sep 4, 2014 at 7:58 AM, Thorsten Göllner <tg@ovm-group.com (tg@ovm-group.com)> wrote:

[asterisk_list at earth...]

On Thursday 04 Sep 2014, motty cruz wrote:

[motty.cruz at gmail.com]

Hi A J, believe me, I wish i do as you suggested, however I have a few extensions outside the office with dynamic IPs, so that is not a possibility. Thanks for your suggestions, I will try fail2ban. I don't know how complicated is to implement that on production server. 


Thanks, 
-Motty



On Thu, Sep 4, 2014 at 8:19 AM, A J Stiles <asterisk_list@earthshod.co.uk (asterisk_list@earthshod.co.uk)> wrote:

[hykhan at hotmail.com]

dont forgot to put your "trusted IPs" into "ignoreip" list while configuring fail2ban

its very important when a customer (may be 100+ extns) are behind NAT and only present single public IP


Rgds
Hash

Date: Thu, 4 Sep 2014 08:42:11 -0700
From: motty.cruz@gmail.com
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack

Hi A J, believe me, I wish i do as you suggested, however I have a few extensions outside the office with dynamic IPs, so that is not a possibility. Thanks for your suggestions, I will try fail2ban. I don't know how complicated is to implement that on production server.


Thanks,
-Motty



On Thu, Sep 4, 2014 at 8:19 AM, A J Stiles <asterisk_list@earthshod.co.uk (asterisk_list@earthshod.co.uk)> wrote:

[EWieling at nyigc.com]

If we don’t need to allow access from outside the USA we block access from all non-ARIN IP addresses by using iptables. This takes care of at least 80% of attacks.

I enabled guest access and pointed all guest calls to an IVR which auto disconnects the call after a while (2 min seems good) if there is no response. That took care of most of the remaining attacks.

I’m considering enabling auto create peer and routing calls to the same IVR as above.

We also use fail2ban, but mostly for non-SIP attacks.

Before enabling any guest access be ABSOLUTELY SURE you know how to do it without causing security issues.

From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Hashmat Khan
Sent: Thursday, September 04, 2014 3:45 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack



dont forgot to put your "trusted IPs" into "ignoreip" list while configuring fail2ban


its very important when a customer (may be 100+ extns) are behind NAT and only present single public IP



Rgds

Hash

Date: Thu, 4 Sep 2014 08:42:11 -0700
From: motty.cruz@gmail.com (motty.cruz@gmail.com)
To: asterisk-users@lists.digium.com (asterisk-users@lists.digium.com)
Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack
Hi A J,
believe me, I wish i do as you suggested, however I have a few extensions outside the office with dynamic IPs, so that is not a possibility. Thanks for your suggestions, I will try fail2ban. I don't know how complicated is to implement that on production server.



Thanks,
-Motty



On Thu, Sep 4, 2014 at 8:19 AM, A J Stiles <asterisk_list@earthshod.co.uk (asterisk_list@earthshod.co.uk)> wrote:
On Thursday 04 Sep 2014, motty cruz wrote:

[asterisk.org at sedwar...]

Please don't top post.

On Thu, 4 Sep 2014, motty cruz wrote:

[mdupuis at ocg.ca]

You can also take a look at SecAst (www.generationd.com). The free version is a drop-in replacement for fail2ban but also add a lot more intelligence (and no need to update regex's etc). There's also geographic IP fencing so you can block attacks by country / region / city etc., only allow access by geography, etc. And a whole lot more (including detection of breached but valid credentials to halt ongoing fraud, etc)



-=M=-



The opinions above are my own, and don't necessarily represent those of my employer. Since I'm employed by Generation D however you can bet that I have a serious bias


From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of Eric Wieling <EWieling@nyigc.com>
Sent: Thursday, September 4, 2014 11:58 AM
To: Asterisk Users List
Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack


If we don’t need to allow access from outside the USA we block access from all non-ARIN IP addresses by using iptables. This takes care of at least 80% of attacks.

I enabled guest access and pointed all guest calls to an IVR which auto disconnects the call after a while (2 min seems good) if there is no response. That took care of most of the remaining attacks.

I’m considering enabling auto create peer and routing calls to the same IVR as above.

We also use fail2ban, but mostly for non-SIP attacks.

Before enabling any guest access be ABSOLUTELY SURE you know how to do it without causing security issues.

From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Hashmat Khan
Sent: Thursday, September 04, 2014 3:45 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack



dont forgot to put your "trusted IPs" into "ignoreip" list while configuring fail2ban


its very important when a customer (may be 100+ extns) are behind NAT and only present single public IP



Rgds

Hash

Date: Thu, 4 Sep 2014 08:42:11 -0700
From: motty.cruz@gmail.com (motty.cruz@gmail.com)
To: asterisk-users@lists.digium.com (asterisk-users@lists.digium.com)
Subject: Re: [asterisk-users] Asterisk secure fine tune - stop attack
Hi A J,
believe me, I wish i do as you suggested, however I have a few extensions outside the office with dynamic IPs, so that is not a possibility. Thanks for your suggestions, I will try fail2ban. I don't know how complicated is to implement that on production server.



Thanks,
-Motty



On Thu, Sep 4, 2014 at 8:19 AM, A J Stiles <asterisk_list@earthshod.co.uk (asterisk_list@earthshod.co.uk)> wrote:
On Thursday 04 Sep 2014, motty cruz wrote:

[asterisk_list at earth...]

On Thursday 04 Sep 2014, motty cruz wrote:

[asterisk at lists.mino...]

On 4/9/14 4:58 pm, Eric Wieling wrote:

[motty.cruz at gmail.com]

Thank you all for your support, your suggestions are welcome. Thanks, 



On Thu, Sep 4, 2014 at 9:26 AM, Chris Bagnall <asterisk@lists.minotaur.cc (asterisk@lists.minotaur.cc)> wrote: