One useful setting is alwaysauthreject=yes in your sip.conf. When that option is not set, asterisk responds differently to an authentication using a valid user name (and invalid password) than it responds to an authentication using invalid username. So when the setting is off, the hackers can figure out what accounts are valid (by scanning extensions in sequence) and once a valid extension was found, use brute force to find the password. With the option on, the chances are very high that they would use brute force on accounts that don't even exist. And of course, install fail2ban which will monitor your asterisk logs and blacklist the IP within 1-2 seconds of the time it started the attack.
Liviu On Tue, Nov 2, 2010 at 8:57 AM, Drew Gibson <[email protected]> wrote: > At the risk of exposing secrets.... > > 5- Use alpha characters in account names > > One of my customers was alerted to a successful hack by their service > provider (thanks Stephan!). The only accounts exploited were the two > remaining ones that were still numeric, the rest started with an alpha > "company code". These were not even touched. > > Every instance of an attack I have seen uses three or four digit NUMBERS for > the account name, I have yet to see an attack on accounts with letters in > its name. Although account names are traditionally the "extension" number, > Asterisk has no problem evaluating alphanumeric names. It's trivial to > prepend dialled digits with a text string and strip it out again if needed. > > regards, > > Drew > > > Stephan Monette wrote: >> >> Saurin, >> >> Hackers usually do their work after normal business hours in most cases. >> >> This is why you may see more activity during weekends and specially if >> it's a long weekend. >> >> Here's some tips for the community: >> >> 1- Always try to filter (using your router) incoming SIP packets base on >> the static IP address and only accept packets from your SIP provider and >> known SIP extension's IP address if possible. >> >> 2- Use strong password on all your web management interface. >> >> 3- Use strong password on all your trunks, IAX2& SIP extensions. >> >> 4- If you do not make International calls, remove the 011... extension >> from your dialplan. Most hackers wants to use your PBX to make international >> calls on your account. >> >> These lines should help you protect your server. It's not a complete >> solution but it will reduce your chances of being hacked. >> >> A strong password should at least include a minimum of 8 digits with a mix >> of numbers and letters. >> >> Stephan Monette >> Unlimitel Inc. >> >> On 2010-10-31, at 12:33 PM, saurin ajmeri wrote: >> >> >>> >>> Hi Guys, >>> >>> Just wondering if anybody else are experiencing increasing attack on >>> asterisk since last Friday. So Far i got almost 700 attempts and Fail2ban >>> have banned those IP. Its mix attack from all over the place mostly from >>> telecoms company from middle east, UK, France and Russia. >>> >>> >>> Thanks, >>> Saurin >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
