Re: [asterisk-users] Fail2ban integration issues with Asterisk 1.4.21 under Debian Lenny

Mon, 30 Aug 2010 09:51:42 -0700 

Gordon Henderson wrote:

> >
> > So.. Get a copy of the sipvicious code from http://blog.sipvicious.org/ 
> > (or directly from http://code.google.com/p/sipvicious/ ) and learn how to 
> > use svcrash.py as that's the only thing that's going to ultimately stop a 
> > long-term attack on your site. For now, anyway.
> >
> > Gordon
> >   
>   
You're wrong when you state: "that's the only thing that's going to
ultimately stop" The fact of the matter is, its quite simple to block
attackers without relying on anything other than good old fashioned
systems/network administration.

>From the onset, if possible a "block all" "allow in whom_I_specify"
should be the Golden Rule on any environment however, in the real world
there are times when we can't just do something as simple as that. So
what's the next best thing? Good old fashioned administration:

# tail -n 10 /var/log/asterisk/messages
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"yzlj"<sip:y...@208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zdcu"<sip:z...@208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zdur"<sip:z...@208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zmug"<sip:z...@208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zoej"<sip:z...@208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zpcp"<sip:z...@208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zxnj"<sip:z...@208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zygq"<sip:z...@208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zyjb"<sip:z...@208.50.53.107>' failed for '69.72.242.170' - No
matching peer found
[Aug 29 19:13:36] NOTICE[21056] chan_sip.c: Registration from
'"zynh"<sip:z...@208.50.53.107>' failed for '69.72.242.170' - No
matching peer found

How about a little cron script without having to install anything? You
could run it off the hour:

rightnow=`date "+%Y-%m-%d %k"`

grep $rightnow /var/log/asterisk/messages |\
awk '/No matching peer/' | sed's:'\''::g' |\
uniq | awk '{print "iptables -A INPUT -s "$1" -j DROP"}'| sh

I've done my own IPS/IDS and honeypots on Asterisk and I can tell you
there are other ways to minimize the attempts and the attacks without
even running ANYTHING against your machine. I can tell you from
EXPERIENCE and watching and analyze about 2-3 years worth of VoIP
attacks, you'd be extremely wrong to think that sipvicious is the only
tool in someone's arsenal. Secondly, I've seen patient attackers test
accounts 1 at a time so don't think for a moment that by solely running
sipvicious and checking the results, you're in the clear.


| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-08 | 09:15:03   |
2010-08-08 | 09:15:03  | 125.71.212.123  | 1        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-23 | 01:28:45   |
2010-08-23 | 01:28:45  | 82.201.218.31   | 1        |


mysql> use arkeos

Database changed
mysql> select * from bruteforcers where start_date like '%2010-08%';
+------------------------------------------+------------+------------+------------+-----------+-----------------+----------+
| hostid                                   | start_date | start_time |
stop_date  | stop_time | attacker        | attempts |
+------------------------------------------+------------+------------+------------+-----------+-----------------+----------+
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-02 | 12:28:22   |
2010-08-02 | 12:58:27  | 88.42.207.98    | 54644    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-04 | 11:46:29   |
2010-08-04 | 11:48:18  | 93.35.113.170   | 9975     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-04 | 13:08:48   |
2010-08-04 | 13:09:16  | 210.22.14.113   | 4187     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-06 | 01:51:15   |
2010-08-06 | 02:26:43  | 187.63.73.3     | 142904   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-08 | 09:15:03   |
2010-08-08 | 09:15:03  | 125.71.212.123  | 1        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-08 | 15:42:59   |
2010-08-08 | 17:07:54  | 217.174.169.29  | 108120   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-08 | 18:20:40   |
2010-08-08 | 18:53:58  | 61.218.212.75   | 79195    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-08 | 19:07:25   |
2010-08-08 | 19:39:52  | 72.166.143.8    | 50073    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-10 | 19:20:27   |
2010-08-10 | 19:21:02  | 61.164.41.144   | 2797     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-11 | 10:54:14   |
2010-08-11 | 12:24:36  | 222.73.93.143   | 128352   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-11 | 16:07:32   |
2010-08-11 | 16:20:12  | 218.249.33.23   | 2029     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-14 | 02:42:13   |
2010-08-14 | 02:42:49  | 85.25.20.51     | 3631     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-15 | 12:50:13   |
2010-08-15 | 12:50:13  | 220.128.103.139 | 1        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-15 | 15:55:48   |
2010-08-15 | 17:10:28  | 64.15.159.171   | 148217   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-16 | 09:40:00   |
2010-08-16 | 09:53:25  | 91.121.132.176  | 3039     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-20 | 21:21:48   |
2010-08-20 | 21:30:44  | 115.146.19.233  | 32018    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-21 | 22:59:17   |
2010-08-21 | 23:56:59  | 66.246.127.233  | 110170   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-22 | 14:35:34   |
2010-08-22 | 14:58:35  | 210.17.189.84   | 83977    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-22 | 15:06:26   |
2010-08-22 | 16:27:03  | 209.172.57.41   | 144106   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-23 | 01:28:45   |
2010-08-23 | 01:28:45  | 82.201.218.31   | 1        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-23 | 21:54:40   |
2010-08-23 | 23:14:47  | 64.22.82.135    | 167086   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-24 | 01:23:09   |
2010-08-24 | 01:23:09  | 62.84.34.18     | 1        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-25 | 07:54:02   |
2010-08-25 | 07:55:54  | 38.99.168.133   | 16022    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-25 | 17:19:20   |
2010-08-25 | 17:49:20  | 218.18.9.155    | 88302    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-26 | 18:01:01   |
2010-08-26 | 19:36:12  | 208.86.252.86   | 166780   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-26 | 19:32:37   |
2010-08-26 | 21:08:50  | 86.122.211.134  | 113078   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-26 | 21:02:34   |
2010-08-26 | 21:02:50  | 173.1.78.157    | 2535     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-26 | 21:33:23   |
2010-08-26 | 23:21:33  | 91.203.134.34   | 167334   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-26 | 22:47:08   |
2010-08-26 | 23:57:03  | 91.202.26.233   | 76167    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-27 | 09:57:44   |
2010-08-27 | 10:48:07  | 66.197.145.85   | 228134   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-27 | 13:50:45   |
2010-08-27 | 13:50:47  | 119.255.6.100   | 315      |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-27 | 13:56:36   |
2010-08-27 | 14:16:48  | 119.145.9.190   | 96698    |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-27 | 21:23:11   |
2010-08-27 | 23:01:52  | 84.23.73.232    | 105549   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-29 | 06:50:41   |
2010-08-29 | 06:54:53  | 64.199.151.238  | 0        |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-29 | 06:50:41   |
2010-08-29 | 06:54:53  | 64.199.151.238  | 6168     |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-29 | 19:19:22   |
2010-08-29 | 19:36:39  | 69.72.242.170   | 115256   |
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-08-29 | 19:19:22   |
2010-08-29 | 19:36:39  | 69.72.242.170   | 6168     |
+------------------------------------------+------------+------------+------------+-----------+-----------------+----------+


-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J.
Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to
build a reputation and five minutes to ruin it. If you think about that,
you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA
4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E


-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to