On 12/30/2017 08:18 PM, Dovid Bender wrote:
Script kiddies trying to find vulnerable systems that they can make
calls on. Lock down the box with iptables and use fail2ban to block
them. The via is probably bogus unless a box at the DoD was comprimised.
On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <[email protected]
<mailto:[email protected]>> wrote:
I've been getting a lot of timeouts on non-critical invite
transactions. I turned on sip debug. They were the result of SIP
invites like this:
Retransmitting #10 (NAT) to 185.107.94.10:13057
<http://185.107.94.10:13057>:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
215.45.145.211:5060;branch=z9hG4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057
From: <sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e
To: <sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b
Call-ID: 5YpLDUSIs6l3xbDXsurYTu..
CSeq: 1 INVITE
Server: Asterisk PBX 13.19.0-rc1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home",
nonce="14be1363"
Content-Length: 0
---
WARNING[1868]: chan_sip.c:4065 retrans_pkt: Retransmission timeout
reached on transmission 5YpLDUSIs6l3xbDXsurYTu.. for seqno 1
(Non-critical Response) -- See
https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
<https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions>
Packet timed out after 32000ms with no response
WARNING[1868]: chan_sip.c:4124 retrans_pkt: Timeout on
5YpLDUSIs6l3xbDXsurYTu.. on non-critical invite transaction.
Looking up the ip addresses :
whois 185.107.94.10
.............
inetnum: 185.107.94.0 - 185.107.94.255
netname: NFORCE_ENTERTAINMENT
descr: Serverhosting
..................
organisation: ORG-NE3-RIPE
org-name: NForce Entertainment B.V.
org-type: LIR
address: Postbus 1142
address: 4700BC
address: Roosendaal
address: NETHERLANDS
phone: +31206919299 <tel:%2B31206919299>
...................
whois 215.45.145.211
.................
NetRange: 215.0.0.0 - 215.255.255.255
CIDR: 215.0.0.0/8 <http://215.0.0.0/8>
NetName: DNIC-NET-215
NetHandle: NET-215-0-0-0-1
Parent: ()
NetType: Direct Assignment
OriginAS:
Organization: DoD Network Information Center (DNIC)
RegDate: 1998-06-04
Updated: 2011-06-21
Ref: https://whois.arin.net/rest/net/NET-215-0-0-0-1
<https://whois.arin.net/rest/net/NET-215-0-0-0-1>
OrgName: DoD Network Information Center
OrgId: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
So how is someone on a Dutch ISP using my server to mess with a US
DoD ip address ?
--
I don't see how fail2ban would help. asterisk isn't rejecting anything.
There's no attempt with username/password.
How could I use iptables to "lock it down" ? We get sip calls from all
over. Is there something about the incoming packet we could use ? For
instance , any packet containing a VIA instruction ? For that matter,
can SIP be configured to drop any VIA request?
sean
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
