You would start by analyse the CDR log and looking to see from which
context the calls are originating.
Make sure that you don't have a "default" context, but if you do need it
(to receive legitimate inbound calls) then make sure that this context only
permits access to internal extensions, not any external number.
Also for every SIP extension restrict the IP address that can access them
for example...
deny = 0.0.0.0/0.0.0.0
permit = 192.168.1.0/255.255.255.0
If you have a need for an extension to connect from outside your local IP
range, then permit them on a one-by-one basis and use strong password and
consider connecting them to a more restrictive context (that, for example,
prohibits international or premium rate calls, but lets through regular
domestic calls).
Turn on adaptive ban firewall plugin.
Thats about all I can think of for now. I'm sure there is more.
David
On Mon, Jul 16, 2012 at 9:17 AM, Ron Byer Lists <[email protected]>wrote:
> Sorry to hear this... A few notes from the voice of experience:
>
> Probable cause:
> hacked SIP password from an unauthorized IP address. problem could be
> an overly simplistic or nonexistent SIP secret. look at your logs and
> see what the source channel(s) are/is and shut that channel or channels
> down by changing the SIP password. There are probably more than a single
> IP address doing it, so IP blacklisting may not work... Instead can you
> whitelist legit addresses and shut out the remainders ?
>
> Longer term:
> - go to IP authentication if possible.
> - run a cron job every hour making sure that passwords are not missing
> or too simple.
>
> Ron
>
>
>
>
> On 7/16/2012 8:59 AM, Tom Chadwin wrote:
> > Hello all
> >
> > It's finally happened, and our Astlinux box has been compromised, with
> many
> > premium/unauthorized calls being made. Would someone be willing to help
> out
> > diagnose what happened and rectify the vulnerability? Obviously, this
> can be
> > paid work. If anyone is interested, and can get back to me with a quote,
> I'd
> > very extremely grateful.
> >
> > Thanks
> >
> > Tom
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Astlinux-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
