Re: [asterisk-users] Auto ban IP addresses
> I have been seeing a lot of > > [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: > Sending fake auth rejection for device > 100;tag=2e921697 > > in my logs lately. Is there a way to automatically ban IP address from > attackers within asterisk ? > You may want to check out this presentation form the last Astricon, it may be relevant: http://www.astricon.net/2012/videos/Automated-Hacker-Mitigation.html Cheers. JR -- JR Richardson Engineering for the Masses -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto ban IP addresses
Geoff, That is a very good point. I actually switched my firewall to close all ports but SSH. I'll only allow specific IP for incoming SIP. Thanks for the great note. On 1/3/13 7:06 AM, Geoff Lane wrote: On Wednesday, January 2, 2013, Frank wrote: Is there a way to automatically ban IP address from attackers within asterisk ? As others have mentioned, fail2ban does a good job. However, it may not be enough as these attacks sometimes come from older versions of the SipVicious hacking tool that keep trying even after they cease getting a response -- i.e. the attack continues even after fail2ban has jailed the host, which eats into your bandwidth and can cause denial of service in extreme cases. FWIW, I suffered one such attack last year after my router died and the temporary replacement couldn't selectively block or forward UDP 5060 based on WAN IP address. The attack continued for over eight days and consumed over a gigabyte a day of my bandwidth for the first three of those days -- until I'd replaced the temporary router and taken proactive measures. An initial LART to the attacking host's owner and their provider achieved little. I ended up installing SipVicious to a virtual machine to which I router all SIP requests from the attacker. On the VM I set up svcrash to automatically crash the attacking script each time it received a SIP request. This cut the attack down to one request every couple of seconds. In the end, I suggested to the owner of the attacking host that it might be a good idea for them to remove Python unless it was actually needed and in any case to remove from that machine all instances of svwar.py and svcrack.py together with the remainder of the SipVicious suite. The attack stopped shortly after. I suspect that any system that responds to all SIP requests is likely to attract such attacks. My solution is to silently drop SIP traffic from all but my SIP providers, which means that attackers perceive that my Asterisk box doesn't exist. This is not ideal as it also prevents legitimate direct SIP calls and reinvites, but IMO better that than having bandwidth I pay for by the gigabyte consumed by brute force attacks. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto ban IP addresses
On Wednesday, January 2, 2013, Frank wrote: > Is there a way to automatically ban IP address from > attackers within asterisk ? As others have mentioned, fail2ban does a good job. However, it may not be enough as these attacks sometimes come from older versions of the SipVicious hacking tool that keep trying even after they cease getting a response -- i.e. the attack continues even after fail2ban has jailed the host, which eats into your bandwidth and can cause denial of service in extreme cases. FWIW, I suffered one such attack last year after my router died and the temporary replacement couldn't selectively block or forward UDP 5060 based on WAN IP address. The attack continued for over eight days and consumed over a gigabyte a day of my bandwidth for the first three of those days -- until I'd replaced the temporary router and taken proactive measures. An initial LART to the attacking host's owner and their provider achieved little. I ended up installing SipVicious to a virtual machine to which I router all SIP requests from the attacker. On the VM I set up svcrash to automatically crash the attacking script each time it received a SIP request. This cut the attack down to one request every couple of seconds. In the end, I suggested to the owner of the attacking host that it might be a good idea for them to remove Python unless it was actually needed and in any case to remove from that machine all instances of svwar.py and svcrack.py together with the remainder of the SipVicious suite. The attack stopped shortly after. I suspect that any system that responds to all SIP requests is likely to attract such attacks. My solution is to silently drop SIP traffic from all but my SIP providers, which means that attackers perceive that my Asterisk box doesn't exist. This is not ideal as it also prevents legitimate direct SIP calls and reinvites, but IMO better that than having bandwidth I pay for by the gigabyte consumed by brute force attacks. -- Geoff -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto ban IP addresses
On Wednesday 02 January 2013, Frank wrote: > Greetings all, > > I have been seeing a lot of > > [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: > Sending fake auth rejection for device > 100;tag=2e921697 > > in my logs lately. Is there a way to automatically ban IP address from > attackers within asterisk ? There is a more "general-purpose" way to block IP addresses from which unwanted traffic is coming: "fail2ban". This scans various logfiles for failed login attempts, and can insert iptables rules to block the addresses whence they originate. On Ubuntu and Debian, just run $ sudo apt-get install fail2ban -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto ban IP addresses
From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Carlos Alvarez Sent: Wednesday, January 02, 2013 4:54 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Auto ban IP addresses On Wed, Jan 2, 2013 at 3:49 PM, Frank wrote: Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100mailto:sip%3A100@108.161.145.18> >;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? http://www.fail2ban.org/wiki/index.php/Asterisk Fail2ban is a nice program, but deny=108.161.145.18 in sip.conf should satisfy OP's request. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Auto ban IP addresses
On Wed, Jan 2, 2013 at 3:49 PM, Frank wrote: > Greetings all, > > I have been seeing a lot of > > [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: > Sending fake auth rejection for device 100;** > tag=2e921697 > > in my logs lately. Is there a way to automatically ban IP address from > attackers within asterisk ? > http://www.fail2ban.org/wiki/index.php/Asterisk -- Carlos Alvarez TelEvolve 602-889-3003 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Auto ban IP addresses
Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? Thank you -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users