I too was getting scanned a lot. My system is locked down, so I wasn't
really worried about tollfraud, but it would fill up my logs and CDRs which
got annoying.
I wanted to still be able to accept certain unauthenticated inbound calls
(conf@ and james@, etc.), so I couldn't disable them altogether. So I put
together this little dialplan entry as a last resort in my incoming context:
; Don't accept any calls not identified above
exten => _.,1,Progress()
exten => _.,n,Set(CDR(userfield)=${EXTEN})
exten => _.,n,Wait(1)
exten => _.,n,Answer()
exten => _.,n,Set(BLKIP1=${CUT(CHANNEL,\/,2)})
exten => _.,n,Set(BLKIP2=${CUT(BLKIP1,\-,1)})
exten => _.,n,Noop(BLOCKING ALL VOIP TRAFFIC FROM ${BLKIP2})
exten => _.,n,System(echo ${BLKIP2} >> /mnt/kd/banlist)
exten => _.,n,System(iptables -A ADAPTIVE_BAN_CHAIN -p udp -s ${BLKIP2} -j
ADAPTIVE_BAN_DROP_CHAIN)
exten => _.,n,Zapateller()
exten => _.,n,Playback(the-number-u-dialed)
exten => _.,n,SayDigits(${EXTEN})
exten => _.,n,Playback(has-been-disconnected&or&no-longer-in-service)
exten => _.,n,Playback(check-number-dial-again)
exten => _.,n,Congestion(5)
exten => _.,n,Hangup()
It will echo the IP address into a persistent banlist (which gets
reimplemented on a reboot), and then adds an iptables rule to block any more
udp traffic from that host. So if someone tries to scan me, the first
attempt will be accepted and logged, but any future attempts will be
blocked.
Has helped tremendously!
And I use the adaptive ban plug-in for sshd and asterisk user account scans.
-James
On Thu, Apr 28, 2011 at 9:19 AM, Lonnie Abelbeck
<[email protected]>wrote:
>
> On Apr 28, 2011, at 7:27 AM, Ingmar Schraub wrote:
>
> > On 04/28/2011 01:06 PM, Joss Giffard wrote:
> >> Hi,
> >>
> >> I recently updated our asterisk system to astlinux 0.7.7 whilst moving
> >> to a new SIP trunk provider. Everything seems to be up and running
> >> correctly apart from the fact that very occasionally each of the VoIP
> >> phones will receive an incoming call from 'asterisk' that once answered
> >> is simply silence... I was wondering if anyone else has experienced
> >> anything similar or has any idea what would be causing this (or indeed
> >> how to cure it). The phones themselves are all Grandstream GXP2000s.
> >
> > Looks like SIP scanning/spamming/toll fraud attack. You could tweak your
> > Asterisk configuration to not allow any other un-authenticated inbound
> > calls than from your SIP trunk provider and/or add some further security
> > controls to prevent such things.
> >
> > Here is a report from someone who had a similar experience:
> >
> >
> http://www.fonality.com/trixbox/forums/trixbox-forums/open-discussion/blank-call-caller-id-asterisk
> >
> > There are also some ideas on how to block such calls. Some are good,
> > some may not make sense to everyone.
> >
> > Regards,
> >
> > Ingmar
>
> I agree with Ingmar, additionally if you are using Asterisk 1.4 you might
> want to set:
> --
> alwaysauthreject=yes
> --
> (Asterisk 1.8 defaults to yes) to reduce the amount of information to the
> scanner.
>
> You may also want to enable the Adaptive Ban plugin:
>
> Network Tab -> Firewall Plugins: [ adaptive-ban ]
>
> set to ENABLED=1 via the { Configure Plugin } button, adjust any options
> and "Restart Firewall" to apply.
>
> The Adaptive Ban firewall plugin operates on the same principle as
> Fail2Ban, automatically blocking IP addresses that generate errors in the
> logs over a pre-defined threshold.
>
> Lonnie
>
>
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today. Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
