Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[asterisk-users] PBX hacked: why hundred of calls to the same number ?

Goto page Previous  1, 2
 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users
View previous topic :: View next topic  
Author Message
mdupuis at ocg.ca
Guest
PostPosted: Fri Oct 03, 2014 1:44 pm    Post subject: [asterisk-users] PBX hacked: why hundred of calls to the sam Reply with quote
There are lots of ways to solve this, and NOT to solve this. Don't start adding lots of rules to iptables (or deep per packet inspection requirements) as this will hurt capacity...and it doesn't really solve the problem



Take a look at

http://www.voip-info.org/wiki/view/Asterisk+security



If you are running a small system I recommend trying the free version of SecAst. If you're running a larger PBX, the SecAst GeoIP blocking (deny/allow by country/city/etc) will remove 99% of the attacks.



Take a good look at the page above for options...free/paid, software/hardware



Michelle



*All opinions are my own, and do not represent my employer. Since I'm employed by GenerationD, you can

bet that my opinions are biased Smile


From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of Rainer Piper <rainer.piper@soho-piper.de>
Sent: Friday, October 3, 2014 2:15 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] PBX hacked: why hundred of calls to the same number ?

Hi Chris,

yes ... it is boring ...
I stop posting ...
Wink


Am 03.10.2014 um 20:11 schrieb Chris Bagnall:

Quote:
On 3/10/14 6:52 pm, Rainer Piper wrote:
Quote:
the attacking server changed the destination Number at 18:53 CEST and
he is still blocked ... LOL
972597438354 [url=callto:00972597438354]<callto:00972597438354>[/url]

It's pretty much an everyday occurrence for any internet-connected SIP system these days...

Quote:
Oct 3 19:46:20 server /sbin/kamailio[3977]: NOTICE: <script>: blocking
IP 62.210.149.136 sipcli/v1.8 rm=INVITE aU=<null> rU=100972597438354

Many of these attacks come from fairly easily recognised user-agent strings, so if you fancy doing a bit of packet inspection with your firewall, you can block many of these before they get as far as your SIP server(s) themselves.

For example, the sipcli scans you listed above can be blocked fairly easily with:
iptables -A INPUT -p udp --dport 5060 -m string --algo bm --string "sipcli" -j DROP

(obviously there are overheads to string searching UDP/5060 packets that you'll want to consider, and the above won't work if you're using sipcli legitimately anywhere on your network)

Kind regards,

Chris


--
Rainer Piper
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: [url=sip:rainer@sip.soho-piper.de:5072]sip:rainer@sip.soho-piper.de:5072[/url] (pjsip-test)
XMPP: rainer@xmpp.soho-piper.de (rainer@xmpp.soho-piper.de)
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users All times are GMT - 5 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services