On 01/02/2018 05:30 PM, sean darcy wrote:
On 12/30/2017 08:18 PM, Dovid Bender wrote:
Script kiddies trying to find vulnerable systems that they can make
calls on. Lock down the box with iptables and use fail2ban to block
them. The via is probably bogus unless a box at the DoD was comprimised.
On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <seandar...@gmail.com
<mailto:seandar...@gmail.com>> wrote:
I've been getting a lot of timeouts on non-critical invite
transactions. I turned on sip debug. They were the result of SIP
invites like this:
Retransmitting #10 (NAT) to 185.107.94.10:13057
<http://185.107.94.10:13057>:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
215.45.145.211:5060;branch=z9hG4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057
From: <sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e
To: <sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b
Call-ID: 5YpLDUSIs6l3xbDXsurYTu..
CSeq: 1 INVITE
Server: Asterisk PBX 13.19.0-rc1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home",
nonce="14be1363"
Content-Length: 0
I don't see how fail2ban would help. asterisk isn't rejecting
anything. There's no attempt with username/password.
How could I use iptables to "lock it down" ? We get sip calls from all
over. Is there something about the incoming packet we could use ? For
instance , any packet containing a VIA instruction ? For that matter,
can SIP be configured to drop any VIA request?
fail2ban is most useful for blocking registration attempts. I handle
non-registration call attempts by allowing guests, point them to a jail
context, which runs Log(WARNING,fail2ban='${CHANNEL(peerip)}') I set a
fail2ban rule to match that line logged from Asterisk.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users