As with any service exposed to the Internet on an open port, you will be
scanned/poked/prodded/etc. all the time. With VoIP becoming ever more
prominent in homes and businesses, which have a tendency to be
mis-configured and vulnerable, it will only get worse. You have a few
options to try and mitigate this:
1) Ensure that the service is as secure as possible (ie: kept up to
date/patched), utilize strong passwords and make sure that your dialplan
can't be circumvented.
2) Setup firewall rules to only permit traffic to be accepted on those
ports from known/trusted hosts. If you don't have a need for remote
hosts to connect to your box on UDP5060, you can block it from being
accessible.
3) Assuming you control the remote devices, you can try changing the
port to something less common.
4) Configure your box with a script/program, or utilize the Asterisk
dialplan, to function as a VoIP IDS/IPS system. This is what I do. If a
call comes into the default context and goes to an invalid extension, it
will immediately blacklist the host from being able to attempt to
connect in the future. So unless the call comes in under one of the DIDs
I own, or a pre-configured destination (ie: james@, conf@, etc.), the
caller will be blacklisted. The last part of my dialplan for that
context is:
exten => _X.,1,Progress()
exten => _X.,n,Gosub(store-cid,s,1)
exten => _X.,n,Set(CDR(userfield)=${EXTEN})
exten =>
_X.,n,Notify(${CALLERID(num)}|${CALLERID(name)}|${EXTEN}0/172.20.0.100)
exten => _X.,n,Wait(1)
exten => _X.,n,Answer()
exten => _X.,n,Set(BANIP=${SIPCHANINFO(recvip)})
exten => _X.,n,NoOp(IP is ${BANIP})
exten => _X.,n,System(echo ${BANIP} >> /mnt/kd/banlist)
exten => _X.,n,System(iptables -A ADAPTIVE_BAN_CHAIN -p udp -s ${BANIP}
-j ADAPTIVE_BAN_DROP_CHAIN)
exten => _X.,n,Zapateller()
exten => _X.,n,Playback(the-number-u-dialed)
exten => _X.,n,SayDigits(${EXTEN})
exten => _X.,n,Playback(has-been-disconnected&or&no-longer-in-service)
exten => _X.,n,Playback(check-number-dial-again)
exten => _X.,n,Congestion(5)
exten => _X.,n,Hangup()
It will immediately add an iptables rule to block udp traffic from that
host, as well as add them into a list (which gets processed by a
start-up script) to add them back in after a reboot. After about a year,
I have 157 entries in this list. While it doesn't prevent the initial
pass of an attack, it ensures that they never get another wack at it, at
least from the same IP. Since 99% of these attacks are automated and
scripted, as opposed to a manual and dedicated direct attack, it will
take care of eliminating all but the most serious attacker. Since my
dialplan is already locked down pretty tightly, the scans themselves
would never actually successfully place a call, but it helps keep my
logs/cdrs looking clean.
Since the attacker is trying to place calls to (and through) your box,
as opposed to trying to register as a peer, the adaptive ban plugin
won't catch it. I do use that as well, but for the account scanners,
which seems to be fairly rare in comparison to the former.
-James
On 03/03/2012 08:43 PM, David Kerr wrote:
Found in my log this evening...
Mar 3 19:39:39 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '94637683556325' rejected because
extension not found in context 'default'.
Mar 3 19:39:40 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '0442032989450' rejected because
extension not found in context 'default'.
Mar 3 19:39:43 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '00442032989450' rejected because
extension not found in context 'default'.
Mar 3 19:39:46 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '000442032989432' rejected because
extension not found in context 'default'.
Mar 3 19:39:49 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '0001442032989434' rejected because
extension not found in context 'default'.
Mar 3 19:39:52 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '001442032989432' rejected because
extension not found in context 'default'.
Mar 3 19:39:55 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '9442032989438' rejected because
extension not found in context 'default'.
Mar 3 19:39:58 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '900442032989438' rejected because
extension not found in context 'default'.
Mar 3 19:40:01 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '9011442032989450' rejected because
extension not found in context 'default'.
Mar 3 19:40:04 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '90442032989438' rejected because
extension not found in context 'default'.
Mar 3 19:40:07 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '011442032989438' rejected because
extension not found in context 'default'.
Mar 3 19:40:10 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '+00442032989452' rejected because
extension not found in context 'default'.
Mar 3 19:40:13 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '+011442032989450' rejected because
extension not found in context 'default'.
Mar 3 19:40:16 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '+0442032989431' rejected because
extension not found in context 'default'.
Mar 3 19:40:19 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '+900442032989453' rejected because
extension not found in context 'default'.
Mar 3 19:40:22 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '+9011442032989436' rejected because
extension not found in context 'default'.
Mar 3 19:40:25 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '+442032989438' rejected because
extension not found in context 'default'.
Mar 3 19:40:28 pbx local0.notice asterisk[3257]: NOTICE[3324]: chan_sip.c:22461 in
handle_request_invite: Call from '' (95.130.23.40:5060
<http://95.130.23.40:5060>) to extension '442032989436' rejected because
extension not found in context 'default'.
Someone is fishing for an asterisk server that will route
international calls. Make sure you are buttoned up tight. Should the
adaptive-ban firewall plugin have detected this? Doesn't appear to
have... maybe because the firewall let it through and it is asterisk
that rejected the request?
David
------------------------------------------------------------------------------
Virtualization& Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
