On 05/17/2018 05:29 PM, sean darcy wrote:
On 05/17/2018 04:47 PM, Daniel Tryba wrote:
On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote:
WARNING.* .*: fail2ban='<HOST>'
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Thanks. Very useful as a tutorial for fail2ban.
But I don't think it covers this SIP hack. This guy isn't trying to
register.
His filter doesn't only trigger on REGISTERs, see the last line of the
matches and the context for guests (which logs the pattern of the last
line of the filter on an INVITE).
I'm far from a regex expert, but I don't think that last line would
capture anything in the invite. In fact, asterisk doesn't throw any
WARNING at all for this INVITE.
I'm not sure, but I don't even see how you can get asterisk to log these
invites at all. There's no heading such as WARNING( or NOTICE, SECURITY,
etc).
That why I find it puzzling. What is he trying to do ?
There are sip servers publicly reachable that will relay INVITEs, make
sure yours aren't. And there are only 2 kinds of operators of sip
server:
-those that have been the victim of toll fraud
-those that will be the victim of toll fraud
You can do nothing to stop this kind of traffic. The only thing you can
do is block it, either using only a whitelist (cumbersome) or generate a
blacklist with for example fail2ban or a more elaborate honeypot setup.
Or setup a proxy that will filter patterns you discover from
BTW this is not a person, this is an automated script, running most
likely on compromised machines and sending spoofed ips. These scripts
care about generating a ring on a phone (again most an abuseable/hacked
account (or purchased with CC fraud)). If they find a server that does,
it will be targetted for all kind of fraud.
Very interesting.
sen
I found these by staring at sip debug, and tying together the SIP
retransmission id with the INVITE. That was an afternoon! Is there any
way to automate this ? Specifically, find the INVITE that generates the
retransmission ?
Otherwise, I can't see how anyone could block these attempts.
> There are sip servers publicly reachable that will relay INVITEs, make
> sure yours aren't.
How do I make sure my server won't relay INVITEs ?
sean
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
