I've been following some of the hacking posts. To advise - this sort of Asterisk hack attempts and brute force attacks (both SSH, but specially SIP 5060) are on the rise. We deployed 4 test servers with unique IP addresses over the past 7 days, with 2 production servers (fortunately with IP Table rules and Fail2Ban implemented). Within literally couple of hours from the machines going up - we immediately encountered brute force friendly-scanner type SIP attacks.
There was one particular IP address, originating from France dedicated server hosting company (www.ovh.fr) which was causing me about 10 MB of traffic per minute of pure sip brute force. Most attacks stop after they observe their IP has been banned, but this was being particularly stubborn. In about 24hrs and after about 10 gigabytes of IPTABLE packet drops from this IP, I picked up the phone, called the hosting company in France and they put a cork on it immediately. I was quite impressed at these guys in France suspending the culprit server after submitting the logs. In a nutshell - this is what I have: a) ZERO access to anonymous sip calls. b) Complex alpha-numeric passwords for all SIP end points. c) Complex SSH password with IP-Tables configured to reject SSH logins from IP address after 2nd attempt (for sys admins only) d) Only SIP and SSH service running on my platform e) Fail2Ban / IP TABLES blocking IP address for 15 minutes f) Brute force attackers being banned permanently within my IP tables g) China, South America, India and Israel IP address blocks completely banned. My brute force attacks used to rank highest from Israel and then from China. Lately I'm beginning to see more attacks, usually giving up within few minutes, from West Europe. This one attack from France was the most notorious of all. If you are running on of the GUI variants of Asterisk such as TrixBox, Elastix, ThirdLane and other similar type front-ends, be warned that all default and dictionary word type passwords are hacked within minutes and your server compromised in record time. Before you have your services up and running, ensure that you change your default passwords immediately (otherwise you are asking for it and inviting problems). Having all 4 test servers and 2 production servers experiencing brute force SIP attacks within hours of deployment, I refuse to believe its coincidence. My conclusion of what I have observed over the past several months is that there are sniffers out there, that sniff 24/7, SIP ports. Once they find sip ports open, they brute force attack. If you have firewall / IP table rules implemented, most give up within minutes. As a rule of thumb, what I am doing at my end is to ensure all my servers have IP Tables, Fail2Ban and related protection tools deployed before any voice services are deployed. I would like to hear how you protect your servers. Thank you, Reza. -- Toronto based VoIP / Asterisk Trainer, I.T. Consultant and Hosted PBX Solutions Provider. +1-647-476-2067. http://www.linkedin.com/in/seminar --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
