Hi Chris,

I'd restrict access to the Asterisk box using iptables (or similar  
firewall) and only allow access from trusted client IPs or networks.  
This only works though if you know the originating IPs (and/or  
networks) of client connections and that they don't change over time.

Alternately you could require a VPN connection between the network  
your Asterisk box is on and clients you anticipate connecting to it.  
This creates some network overhead and could introduce some latency,  
but is a possibility.

Lastly you could block the originating IPs of attacking systems using  
an ACL or iptables rule, but that can quickly becoming a losing  
strategy if the attacker has access to different systems or different  
networks.

Good luck!

- Chris

---
Chris Brentano
IT Engineer
Jive Software
915 SW Stark St, Suite 400
Portland, Oregon 97205
Email/XMPP: chris.brent...@jivesoftware.com


On 23 Jan, 2009, at 1:36 PM, Christopher Gray wrote:

> Hello:
>
> Beginning on January 6, it appears that somebody has been trying to  
> hack into
> my Asterisk.  They have tried on the 7th, 9th, and the 20th.  The  
> messages file
> in /var/log/Asterisk shows entries like this:
>
> [Jan 20 13:39:40] NOTICE[5130] chan_sip.c: Registration from
> '"1072963462"<sip:1072963...@198.144.206.28>' failed for  
> '212.174.78.60' - No matching peer found
>
> [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from
> '"100"<sip:1...@198.144.206.28>' failed for '212.174.78.60' - No  
> matching peer found
>
> [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from
> '"101"<sip:1...@198.144.206.28>' failed for '212.174.78.60' - No  
> matching peer found
>
> [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from
> '"102"<sip:1...@198.144.206.28>' failed for '212.174.78.60' - No  
> matching peer found
>
> [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from
> '"103"<sip:1...@198.144.206.28>' failed for '212.174.78.60' - No  
> matching peer found
>
> The sip:101 sip:102 and so on goes up until sip:9975.  This began at  
> 13:39:40
> and ended at 13:42:51.  Entries began at line 970 of the log file  
> and ended at
> 8016 for a total of 7,041 occurrences.
>
> How worried should I be about this and what should I do to stop  
> further
> attempts?
>
> Thanks for any advice.
>
> Chris
>
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-security mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-security


_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-security mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-security

Reply via email to