Re: [asterisk-users] Register Attacks End of ENUM ?
On Sun, Jul 25, 2010 at 3:11 AM, Norbert Zawodsky norb...@zawodsky.at wrote: Hello again! after it being relatively quiet her for the last weeks, my Astrerisk server was the target of 3 of that nasty REGISTER attacks during the last days. While I can see not much danger coming from these attacks (I use very long, complicated random generated passwords), they are still very annoying, because they always lead to my server crashing. (I think it's some out of memory condition because its a very tiny server. Slow CPU, not much memory...) Now, as a quick-fix I had the idea to use iptables' --scr-range rule to close the whole adress-range from 0.0.0.0 to 255.255.255.255 EXCEPT that small range of my VOIP provider. This should keep out all attacks. (At least, I think so). But I'm not a iptables-guru at all !! But the side-effect would be that ENUM wouldn't work any more. I still think that the best, clean solution would be, if some mechanism was built into asterisk (maybe sip.conf was the right place ???) where you could configure from which source (ip-range, ethernet-port or whatever...) asterisk will accept or ignore REGISTER requests. For example, in my small installation, valid REGISTERs can only originate from the internal LAN, never from the outside world. So I could restrict the range for valid REGISTERs to 192.168.1.0/24. AFAIK incoming calls would start the conversation with INVITE and those still may come from the outside (=any IP adress). Another thought makes me feel nervous: What if some sick brain gets the idea of sending INVITEs instead of those REGISTERs... Norbert If all you need is block the SIP traffic from external sources, you may do the following: # iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 5060 -j ACCEPT # iptables -A INPUT -p udp --dport 5060 -j DROP # iptables-save /etc/iptables.up.rules and somewhere in init scripts (depending on your lsb release): # iptables-restore /etc/iptables.up.rules fail2ban is more suitable if you have external environment (plus it's more complicated than just these 2 rules). -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Register Attacks End of ENUM ?
Blocking SIP traffic is still going to break ENUM. The problem with your suggestion Norbert is that Asterisk still would have to process the requests at an application layer, providing no real advantage to users of boxes with no grunt. You could potentially write something to do inspection on the packets, there are a handful of L7 Linux switch projects around. Of course - still relatively resource intensive. Fail2Ban is probably the best solution. What someone needs to offer is an ENUM gateway service :-) Nick. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Motiejus Jakštys Sent: Tuesday, 27 July 2010 4:43 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Register Attacks End of ENUM ? On Sun, Jul 25, 2010 at 3:11 AM, Norbert Zawodsky norb...@zawodsky.at wrote: Hello again! after it being relatively quiet her for the last weeks, my Astrerisk server was the target of 3 of that nasty REGISTER attacks during the last days. While I can see not much danger coming from these attacks (I use very long, complicated random generated passwords), they are still very annoying, because they always lead to my server crashing. (I think it's some out of memory condition because its a very tiny server. Slow CPU, not much memory...) Now, as a quick-fix I had the idea to use iptables' --scr-range rule to close the whole adress-range from 0.0.0.0 to 255.255.255.255 EXCEPT that small range of my VOIP provider. This should keep out all attacks. (At least, I think so). But I'm not a iptables-guru at all !! But the side-effect would be that ENUM wouldn't work any more. I still think that the best, clean solution would be, if some mechanism was built into asterisk (maybe sip.conf was the right place ???) where you could configure from which source (ip-range, ethernet-port or whatever...) asterisk will accept or ignore REGISTER requests. For example, in my small installation, valid REGISTERs can only originate from the internal LAN, never from the outside world. So I could restrict the range for valid REGISTERs to 192.168.1.0/24. AFAIK incoming calls would start the conversation with INVITE and those still may come from the outside (=any IP adress). Another thought makes me feel nervous: What if some sick brain gets the idea of sending INVITEs instead of those REGISTERs... Norbert If all you need is block the SIP traffic from external sources, you may do the following: # iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 5060 -j ACCEPT # iptables -A INPUT -p udp --dport 5060 -j DROP # iptables-save /etc/iptables.up.rules and somewhere in init scripts (depending on your lsb release): # iptables-restore /etc/iptables.up.rules fail2ban is more suitable if you have external environment (plus it's more complicated than just these 2 rules). -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Register Attacks End of ENUM ?
Am 27.07.2010 08:42, schrieb Motiejus Jakštys: If all you need is block the SIP traffic from external sources, you may do the following: # iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 5060 -j ACCEPT # iptables -A INPUT -p udp --dport 5060 -j DROP # iptables-save /etc/iptables.up.rules and somewhere in init scripts (depending on your lsb release): # iptables-restore /etc/iptables.up.rules fail2ban is more suitable if you have external environment (plus it's more complicated than just these 2 rules). Hello Motiejus, Hello Nick! thanks for your answers. My OP was definitely not meant as a request for help. I just wanted to start some small discussion. The point is that a) I don't know fail2ban, and b) I think that small box which runs my asterisk wouldn't take another additional application (like fail2ban) @Motiejus: Thanks for your rules! Since it seems that you are an iptables expert, may I ask you: I want to restrict SIP traffic to my internal network AND to a special adress-range (adresses of my voip provider) from external network. iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 5060 -j ACCEPT iptables -A INPUT -m iprange --src-range [FROM_IP]-[TO_IP] -j ACCEPT iptables -A INPUT -p udp --dport 5060 -j DROP Would that do the trick ? But that would keep out any calls via ENUM mechanism too. Am I right? Norbert -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Register Attacks End of ENUM ?
Hello Motiejus, Hello Nick! thanks for your answers. My OP was definitely not meant as a request for help. I just wanted to start some small discussion. The point is that a) I don't know fail2ban, and It's really easy. I just installed it on my company asterisk box - it took ~5 minutes to install and configure. Thanks all. Moreover, it's scanning for sshd brute-force attacks out of the box. b) I think that small box which runs my asterisk wouldn't take another additional application (like fail2ban) It has a _very_ small footprint :-) I observe 0% cpu (in top) and 2MB system ram usage. @Motiejus: Thanks for your rules! Since it seems that you are an iptables expert, :-) may I ask you: I want to restrict SIP traffic to my internal network AND to a special adress-range (adresses of my voip provider) from external network. iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 5060 -j ACCEPT iptables -A INPUT -m iprange --src-range [FROM_IP]-[TO_IP] -j ACCEPT iptables -A INPUT -p udp --dport 5060 -j DROP Would that do the trick ? Yes, syntax looks correct, it should. Try :-) But that would keep out any calls via ENUM mechanism too. Am I right? The above rule will block all UDP port 5060 (SIP) traffic from external ips to your asterisk machine. I do not know how ENUM works, so cannot answer, but probably Nick is right. If your asterisk is ENUM server listening on UDP 5060 and remote hosts query your machine with ENUM - then yes, it will not work. Any other configuration - it will. Regards Motiejus Jakštys -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Register Attacks End of ENUM ?
On 10-07-25 11:50 AM, Administrator TOOTAI wrote: Le 25/07/2010 02:11, Norbert Zawodsky a écrit : Hello again! Hi after it being relatively quiet her for the last weeks, my Astrerisk server was the target of 3 of that nasty REGISTER attacks during the last days. [...] Do like most of us are acting: use fail2ban. That's pretty much the solution to that problem right there: fail2ban. Leif Madsen. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Register Attacks End of ENUM ?
Le 25/07/2010 02:11, Norbert Zawodsky a écrit : Hello again! Hi after it being relatively quiet her for the last weeks, my Astrerisk server was the target of 3 of that nasty REGISTER attacks during the last days. [...] Do like most of us are acting: use fail2ban. -- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Register Attacks End of ENUM ?
Hello again! after it being relatively quiet her for the last weeks, my Astrerisk server was the target of 3 of that nasty REGISTER attacks during the last days. While I can see not much danger coming from these attacks (I use very long, complicated random generated passwords), they are still very annoying, because they always lead to my server crashing. (I think it's some out of memory condition because its a very tiny server. Slow CPU, not much memory...) Now, as a quick-fix I had the idea to use iptables' --scr-range rule to close the whole adress-range from 0.0.0.0 to 255.255.255.255 EXCEPT that small range of my VOIP provider. This should keep out all attacks. (At least, I think so). But I'm not a iptables-guru at all !! But the side-effect would be that ENUM wouldn't work any more. I still think that the best, clean solution would be, if some mechanism was built into asterisk (maybe sip.conf was the right place ???) where you could configure from which source (ip-range, ethernet-port or whatever...) asterisk will accept or ignore REGISTER requests. For example, in my small installation, valid REGISTERs can only originate from the internal LAN, never from the outside world. So I could restrict the range for valid REGISTERs to 192.168.1.0/24. AFAIK incoming calls would start the conversation with INVITE and those still may come from the outside (=any IP adress). Another thought makes me feel nervous: What if some sick brain gets the idea of sending INVITEs instead of those REGISTERs... Norbert -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users