On Sun, Nov 07, 2010 at 07:11:43AM -0700, Steve Murphy wrote: > Hey, I'm going thru logs, and I see some very common and interesting things > that the hackers are looking for. > > In a whole bunch of scans, I've noticed that the first guess or two for sip > accounts > is usually a 10-digit number. I'm asking myself, why these numbers? Are they > looking > for a voip trunk? Or is it just like a serial number for the scan? What?
It's SIPVicious. Before it starts its sequential scan, it makes sure that it can tell the difference between a valid peer and an unknown one. It tries two random peers, expecting a 404 response to at least one (most likely both) of them. Then, if it later gets a 401 during the sequential scan, it knows it's found a good peer name that can be targeted for password guessing. On the other hand, if both random guesses elicit 401 responses to REGISTERs, it knows that it can't winnow out the real peers, and (normally) just gives up right there. That's why 'alwaysauthreject' is so effective at stopping the attacks (as opposed to blocking them). But if the attacker uses the '--force' option, which causes the scan to press on regardless, or something other than SIPVicious, only something like fail2ban will help, but that won't save your bandwidth like 'alwaysauthreject' will. -- Barry -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
