VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
geisj at pagestation.com
Guest
|
 Posted: Sat Jan 18, 2014 3:59 pm Post subject: [asterisk-users] stopping unwanted attempts |
 |
|
I see MANY of these in my log files:
[Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '"202" <sip:202@X:5060>' failed for '37.8.12.147:26832' - Wrong password
[Jan 15 03:06:19] NOTICE[14129] chan_sip.c: Registration from '"5001" <sip:5001@X:5060>' failed for '37.8.12.147:21268' - Wrong password
[Jan 15 03:06:23] NOTICE[14129] chan_sip.c: Registration from '"30" <sip:30@X:5060>' failed for '37.8.12.147:21270' - Wrong password
[Jan 15 03:06:48] NOTICE[14129] chan_sip.c: Registration from '"70" <sip:70@X:5060>' failed for '37.8.12.147:21328' - Wrong password
[Jan 15 03:06:50] NOTICE[14129][C-00000085] chan_sip.c: Call from '' (8.33.7.110:5103) to extension '889011972592735467' rejected because extension not found in context 'default'.
[Jan 15 03:06:56] NOTICE[14129] chan_sip.c: Registration from '"4" <sip:4@X:5060>' failed for '37.8.12.147:21272' - Wrong password
[Jan 15 03:07:11] NOTICE[14129] chan_sip.c: Registration from '"12001" <sip:12001@X:5060>' failed for '37.8.12.147:5060' - Wrong password
[Jan 15 03:34:02] NOTICE[14129][C-00000086] chan_sip.c: Call from '' (172.246.236.90:5078) to extension '8889011972595301123' rejected because extension not found in context 'default'.
What is the "correct" way to block these idiots so they
don't even get this far.
Thanks,
Jerry |
|
| Back to top |
|
 |
andrew at vsave.co.za
Guest
|
| Posted: Sat Jan 18, 2014 4:09 pm Post subject: [asterisk-users] stopping unwanted attempts |
|
|
Fail2ban works well otherwise you can write your own script im bash or perl to block them in iptables
Regards
Andrew Colin-mobile
Vsave(PTY)Ltd
-------- Original message --------
From: Jerry Geis
Date:18/01/2014 10:59 PM (GMT+02:00)
To: asterisk-users@lists.digium.com
Subject: [asterisk-users] stopping unwanted attempts
I see MANY of these in my log files:
[Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '"202" <sip:202@X:5060>' failed for '37.8.12.147:26832' - Wrong password
[Jan 15 03:06:19] NOTICE[14129] chan_sip.c: Registration from '"5001" <sip:5001@X:5060>' failed for '37.8.12.147:21268' - Wrong password
[Jan 15 03:06:23] NOTICE[14129] chan_sip.c: Registration from '"30" <sip:30@X:5060>' failed for '37.8.12.147:21270' - Wrong password
[Jan 15 03:06:48] NOTICE[14129] chan_sip.c: Registration from '"70" <sip:70@X:5060>' failed for '37.8.12.147:21328' - Wrong password
[Jan 15 03:06:50] NOTICE[14129][C-00000085] chan_sip.c: Call from '' (8.33.7.110:5103) to extension '889011972592735467' rejected because extension not found in context 'default'.
[Jan 15 03:06:56] NOTICE[14129] chan_sip.c: Registration from '"4" <sip:4@X:5060>' failed for '37.8.12.147:21272' - Wrong password
[Jan 15 03:07:11] NOTICE[14129] chan_sip.c: Registration from '"12001" <sip:12001@X:5060>' failed for '37.8.12.147:5060' - Wrong password
[Jan 15 03:34:02] NOTICE[14129][C-00000086] chan_sip.c: Call from '' (172.246.236.90:5078) to extension '8889011972595301123' rejected because extension not found in context 'default'.
What is the "correct" way to block these idiots so they
don't even get this far.
Thanks,
Jerry |
|
| Back to top |
|
|
asterisk.org at sedwar...
Guest
|
| Posted: Sat Jan 18, 2014 5:59 pm Post subject: [asterisk-users] stopping unwanted attempts |
|
|
On Sat, 18 Jan 2014, Jerry Geis wrote:
| Quote: | I see MANY of these in my log files:
[Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '"202" <sip:202@X:5060>' failed for '37.8.12.147:26832' - Wrong password
What is the "correct" way to block these idiots so they
don't even get this far.
|
Use iptables to allow packets from your legitimate users, block everybody
else.
If you are dealing with a mobile user base or an extensive geographic
area, at least block the countries where you do not expect traffic --
North Korea, China, xxxistan, etc.
Drop these at the front door (90% of the problem) and use fail2ban to pick
off the rest.
--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards sedwards@sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
murf at parsetree.com
Guest
|
| Posted: Sun Jan 19, 2014 9:40 am Post subject: [asterisk-users] stopping unwanted attempts |
|
|
On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards <asterisk.org@sedwards.com (asterisk.org@sedwards.com)> wrote:
| Quote: | On Sat, 18 Jan 2014, Jerry Geis wrote:
| Quote: | I see MANY of these in my log files:
[Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '"202" <sip:202@X:5060>' failed for '37.8.12.147:26832' - Wrong password
What is the "correct" way to block these idiots so they
don't even get this far.
|
Use iptables to allow packets from your legitimate users, block everybody else.
If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc.
Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest.
|
I see a problem here; firstly that it is no longer so simple to determine
the IP ranges of countries. Things have been fractured quite a bit; you
might have to hire out a service to determine true geographic origination.
Even then, if your service is a little behind, you might occasionally
feel the displeasure of users unable to talk to your servers. How will you
handle this, with a white-list? How much effort will you end up committing
to keeping your whitelist up to date?
Nextly, the well-financed operations running such probes need not use
machines in their native countries. There are plenty of US-based
machines that can be ( and are ) compromised.
In other words, don't forget the fail2ban part!
Here's another idea! How about changing your port from 5060 to something
different, maybe 7067 or some other number that is not popularly being used?
You'll provision your phones to use this port, and the scanners will not
find you. Seems a much simpler solution... but there are some drawbacks...
can anyone think of them? And will these drawbacks matter to you? And, given
this solution, will the odds that a scanner might find your machine be so low,
that it is not worth using something like fail2ban to override them? Food
for thought!
murf
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉ murf at parsetree dot com
☎ 307-899-5535 |
|
| Back to top |
|
|
rwheeler at artifact-s...
Guest
|
| Posted: Sun Jan 19, 2014 9:57 am Post subject: [asterisk-users] stopping unwanted attempts |
|
|
fail2ban is so easy to set up, there is no reason not to set it up.
The geography problems are not so bad unless you have phones all over the world or people travelling with softphones to countries that you want to block.
It does not block incoming calls only people who want to mimic your own legitimate phones.
Ron
On 19/01/2014 9:40 AM, Steve Murphy wrote:
| Quote: |
On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards <asterisk.org@sedwards.com (asterisk.org@sedwards.com)> wrote:
| Quote: | On Sat, 18 Jan 2014, Jerry Geis wrote:
| Quote: | I see MANY of these in my log files:
[Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '"202" <sip:202@X:5060>' failed for '37.8.12.147:26832' - Wrong password
What is the "correct" way to block these idiots so they
don't even get this far.
|
Use iptables to allow packets from your legitimate users, block everybody else.
If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc.
Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest. |
I see a problem here; firstly that it is no longer so simple to determine
the IP ranges of countries. Things have been fractured quite a bit; you
might have to hire out a service to determine true geographic origination.
Even then, if your service is a little behind, you might occasionally
feel the displeasure of users unable to talk to your servers. How will you
handle this, with a white-list? How much effort will you end up committing
to keeping your whitelist up to date?
Nextly, the well-financed operations running such probes need not use
machines in their native countries. There are plenty of US-based
machines that can be ( and are ) compromised.
In other words, don't forget the fail2ban part!
Here's another idea! How about changing your port from 5060 to something
different, maybe 7067 or some other number that is not popularly being used?
You'll provision your phones to use this port, and the scanners will not
find you. Seems a much simpler solution... but there are some drawbacks...
can anyone think of them? And will these drawbacks matter to you? And, given
this solution, will the odds that a scanner might find your machine be so low,
that it is not worth using something like fail2ban to override them? Food
for thought!
murf
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉ murf at parsetree dot com
☎ 307-899-5535
--
Ron Wheeler
President
Artifact Software Inc
email: rwheeler@artifact-software.com (rwheeler@artifact-software.com)
skype: ronaldmwheeler
phone: 866-970-2435, ext 102 |
|
|
| Back to top |
|
|
jnovack at stromberg-c...
Guest
|
| Posted: Sun Jan 19, 2014 10:04 am Post subject: [asterisk-users] stopping unwanted attempts |
|
|
Changing from 5060 is very effective.
Sure, someone with the knowledge could try all the ports IF they know you are even running SIP, but it certainly will stop most of these idiots .
That along with fail2ban, not using numbers for device user names all will help.
Using IAX where possible also can be very effective
John Novack
Steve Murphy wrote:
| Quote: |
On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards <asterisk.org@sedwards.com (asterisk.org@sedwards.com)> wrote:
| Quote: | On Sat, 18 Jan 2014, Jerry Geis wrote:
| Quote: | I see MANY of these in my log files:
[Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '"202" <sip:202@X:5060>' failed for '37.8.12.147:26832' - Wrong password
What is the "correct" way to block these idiots so they
don't even get this far.
|
Use iptables to allow packets from your legitimate users, block everybody else.
If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc.
Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest. |
I see a problem here; firstly that it is no longer so simple to determine
the IP ranges of countries. Things have been fractured quite a bit; you
might have to hire out a service to determine true geographic origination.
Even then, if your service is a little behind, you might occasionally
feel the displeasure of users unable to talk to your servers. How will you
handle this, with a white-list? How much effort will you end up committing
to keeping your whitelist up to date?
Nextly, the well-financed operations running such probes need not use
machines in their native countries. There are plenty of US-based
machines that can be ( and are ) compromised.
In other words, don't forget the fail2ban part!
Here's another idea! How about changing your port from 5060 to something
different, maybe 7067 or some other number that is not popularly being used?
You'll provision your phones to use this port, and the scanners will not
find you. Seems a much simpler solution... but there are some drawbacks...
can anyone think of them? And will these drawbacks matter to you? And, given
this solution, will the odds that a scanner might find your machine be so low,
that it is not worth using something like fail2ban to override them? Food
for thought!
murf
--
Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉ murf at parsetree dot com
☎ 307-899-5535
--
Dog is my Co-pilot |
|
|
| Back to top |
|
|
asterisk at lists.mino...
Guest
|
| Posted: Sun Jan 19, 2014 10:39 am Post subject: [asterisk-users] stopping unwanted attempts |
|
|
On 19/1/14 2:57 pm, Ron Wheeler wrote:
| Quote: | fail2ban is so easy to set up, there is no reason not to set it up.
|
One of the dangers with fail2ban - at least in its default configuration
- is that a legitimate SIP phone with an incorrect password can quite
easily send dozens of registration attempts in a couple of minutes, thus
blocking that IP.
If your end users configure their own phones, you will have to factor in
the increased support burden when users complain that their phones
'can't connect' and you need to manually unblock those IPs. This can be
at least partially mitigated using fail2ban's 'ignoreip' directive for
IPs you know only your users will be connecting from.
If you've a large number of users, it might be worth splitting them
across a pair of servers - one for 'trusted' users, i.e. where each SIP
endpoint is locked down to a specific IP (or at least a range), and you
can configure your firewall to block SIP connection attempts from
anything apart from that list; and one for 'untrusted' users, i.e.
travelling users, home workers without static IPs, etc. on which you run
fail2ban with a fairly ruthless set of rules/limits.
Unless you know that none of your users travel internationally, I'd be
wary of imposing countrywide IP blocks, especially in this era of IP
shortage where IP space is being traded on the open market and GeoIP
databases may not always keep up to date.
Kind regards,
Chris
--
This email is made from 100% recycled electrons
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
EWieling at nyigc.com
Guest
|
| Posted: Sun Jan 19, 2014 1:40 pm Post subject: [asterisk-users] stopping unwanted attempts |
|
|
It is far worse when you have multiple phones behind the same public address (i.e. NAT). If any one of the phones has a bad password and the IP gets blocked by fail2ban, then all phones at that site would be blocked.
-----Original Message-----
From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Chris Bagnall
Sent: Sunday, January 19, 2014 10:40 AM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] stopping unwanted attempts
On 19/1/14 2:57 pm, Ron Wheeler wrote:
| Quote: | fail2ban is so easy to set up, there is no reason not to set it up.
|
One of the dangers with fail2ban - at least in its default configuration
- is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
andrew at vsave.co.za
Guest
|
| Posted: Sun Jan 19, 2014 2:41 pm Post subject: [asterisk-users] stopping unwanted attempts |
|
|
Geoip works well to block all countries except your own
Regards
Andrew Colin-mobile
Vsave(PTY)Ltd
-------- Original message --------
From: Eric Wieling
Date:19/01/2014 8:40 PM (GMT+02:00)
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] stopping unwanted attempts
It is far worse when you have multiple phones behind the same public address (i.e. NAT). If any one of the phones has a bad password and the IP gets blocked by fail2ban, then all phones at that site would be blocked.
-----Original Message-----
From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Chris Bagnall
Sent: Sunday, January 19, 2014 10:40 AM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] stopping unwanted attempts
On 19/1/14 2:57 pm, Ron Wheeler wrote:
| Quote: | fail2ban is so easy to set up, there is no reason not to set it up.
|
One of the dangers with fail2ban - at least in its default configuration
- is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
EWieling at nyigc.com
Guest
|
| Posted: Sun Jan 19, 2014 3:00 pm Post subject: [asterisk-users] stopping unwanted attempts |
|
|
We don't do residential service and require the few off-net customers to have a static IP. This makes using whitelists practical. That won't work for most people though.
-----Original Message-----
From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Andrew Colin
Sent: Sunday, January 19, 2014 2:39 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] stopping unwanted attempts
Geoip works well to block all countries except your own
Regards
Andrew Colin-mobile
Vsave(PTY)Ltd
-------- Original message --------
From: Eric Wieling
Date:19/01/2014 8:40 PM (GMT+02:00)
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] stopping unwanted attempts
It is far worse when you have multiple phones behind the same public address (i.e. NAT). If any one of the phones has a bad password and the IP gets blocked by fail2ban, then all phones at that site would be blocked.
-----Original Message-----
From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Chris Bagnall
Sent: Sunday, January 19, 2014 10:40 AM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] stopping unwanted attempts
On 19/1/14 2:57 pm, Ron Wheeler wrote:
| Quote: | fail2ban is so easy to set up, there is no reason not to set it up.
|
One of the dangers with fail2ban - at least in its default configuration
- is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
bchia at digium.com
Guest
|
| Posted: Mon Jan 20, 2014 10:22 am Post subject: [asterisk-users] stopping unwanted attempts |
|
|
| Quote: |
I see MANY of these in my log files:
[Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '"202"
<sip:202@X:5060>' failed for '37.8.12.147:26832' - Wrong password
[Jan 15 03:06:19] NOTICE[14129] chan_sip.c: Registration from '"5001"
<sip:5001@X:5060>' failed for '37.8.12.147:21268' - Wrong password
[Jan 15 03:06:23] NOTICE[14129] chan_sip.c: Registration from '"30"
<sip:30@X:5060>' failed for '37.8.12.147:21270' - Wrong password
[Jan 15 03:06:48] NOTICE[14129] chan_sip.c: Registration from '"70"
<sip:70@X:5060>' failed for '37.8.12.147:21328' - Wrong password
[Jan 15 03:06:50] NOTICE[14129][C-00000085] chan_sip.c: Call from '' (
8.33.7.110:5103) to extension '889011972592735467' rejected because
extension not found in context 'default'.
[Jan 15 03:06:56] NOTICE[14129] chan_sip.c: Registration from '"4"
<sip:4@X:5060>'
failed for '37.8.12.147:21272' - Wrong password
[Jan 15 03:07:11] NOTICE[14129] chan_sip.c: Registration from '"12001"
<sip:12001@X:5060>' failed for '37.8.12.147:5060' - Wrong password
[Jan 15 03:34:02] NOTICE[14129][C-00000086] chan_sip.c: Call from '' (
172.246.236.90:5078) to extension '8889011972595301123' rejected because
extension not found in context 'default'.
What is the "correct" way to block these idiots so they
don't even get this far.
Thanks,
Jerry |
At this past year's AstriCon there was a series of security talks that covered fail2ban and best practices. You can view the playlist of videos on YouTube. The content should be helpful for you:
https://www.youtube.com/playlist?list=PLighc-2vlRgT3DhE9DkIgSmpUX6v2AtYo
Links to the playlists are also on asterisk.org:
http://www.asterisk.org/community/astricon-user-conference/video-archive
Cheers,
Billy Chia |
|
| Back to top |
|
|
jeff at jeff.net
Guest
|
| Posted: Mon Jan 20, 2014 10:27 am Post subject: [asterisk-users] stopping unwanted attempts |
|
|
On 01/19/2014 08:40 AM, Steve Murphy wrote:
| Quote: |
Here's another idea! How about changing your port from 5060 to something
different, maybe 7067 or some other number that is not popularly being used?
You'll provision your phones to use this port, and the scanners will not
find you. Seems a much simpler solution... but there are some drawbacks...
can anyone think of them? And will these drawbacks matter to you? And, given
this solution, will the odds that a scanner might find your machine be so low,
that it is not worth using something like fail2ban to override them? Food
for thought!
murf
|
We use this tactic. I never seen scanners in my logs anymore. Haven't had any issues with it to date... we use Linksys, Polycom, Yealink, Grandstream, and Audiocodes products. All have the ability to specify the registration port.
Cheers,
j |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
