iptables -A INPUT -p tcp -s 74.52.112.162 -j DROP Good luck. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of spectro Sent: June 30, 2008 12:15 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] sip extension compromised, need help blocking brute force attempts
Hello, yesterday one of the extensions on my asterisk server got compromised by brute-force attack. The attacker used it to try pull an identity theft scam playing a recording from a bank "your account has been blocked due to unusual activity, please call this number..." Attacker managed to make lots of calls for around 8 hours before I detected it and changed the password for that extension. As of this morning it is still attempting to brute force the password for that extension again. I need a way to block that IP from connecting to my asterisk server, please advice. --- sip debug --- Using INVITE request as basis request - [EMAIL PROTECTED] Sending to 74.52.112.162 : 5060 (NAT) Found user '211' Reliably Transmitting (NAT) to 74.52.112.162:5060: SIP/2.0 403 Forbidden Via: SIP/2.0/UDP 74.52.112.162:5060;branch=z9hG4bK3b28fa36;received=74.52.112.162;rport=5060 From: "ASLPLS" <sip:[EMAIL PROTECTED]>;tag=as130a4d39 To: <sip:[EMAIL PROTECTED]>;tag=as0c69057b Call-ID: [EMAIL PROTECTED] CSeq: 103 INVITE User-Agent: Asterisk PBX llow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY Contact: <sip:[EMAIL PROTECTED]> Content-Length: 0 --- sip debug --- That box is currently running Trixbox 1.2.3. I have iptables disabled. If anybody can give me a simple ruleset that allows all traffic except ip 74.52.112.162 to port 5060 I will really appreciate it. Are there mechanisms in Asterisk to detect and automatically block these brute force attempts? _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users