Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.

2017-04-22 Thread Tim S 
Exactly.

If one's external access control is set correctly, you should basically
never see any outside attack traffic at your Asterisk box (you've see it in
the firewall logs instead).

Following the concept of "least privileges" is where you should start if
you have Asterisk attached to a SIP service you pay for.  If you have one
SIP provider, the only IP address (or IP pool/range) that should talk to
your Asterisk box from outside your firewall is exclusively the servers of
your SIP provider.  Everything else should be "dropped" (no response at
all).

Google "GRC Shields Up" and run that free port scanner to see what you have
open, closed or what they call "stealth" (dropped).  If a firewall is setup
correctly, port 5060 should appear "stealth" from any IP address other than
your service provider.

You can also Shodan yourself: "https://www.shodan.io/host{yourPublicIP}; -
but Shodan doesn't tell you whether the packets are dropped or rejected.
In general you want your public IP to only show services on Shodan that you
intend every random request to get access to - for example a public web
server on port 80 and 443.

It's a good idea to review these resources often (once a quarter, once a
month, once a week - your choice), especially after any software or
hardware changes on your network.  You may find something has been
misconfigured at installation, that you would need to address.

Best

-Tim

On Fri, Apr 21, 2017 at 9:53 AM, Victor Villarreal 
wrote:

> Hi David, Tim,
>
> Try to use Bail2Ban at last resort. Fail2Ban is a ractive approach, that
> permit the traffinc AND ONLY BLOCK them after certain level triggered.
>
>
> Use iptables to block the unused services faced to public networks like
> Internet. And configure these services properly, so they listen only
> selected interfaces and IPs, and not from 0.0.0.0
>
> 2017-04-21 13:47 GMT-03:00 Tim S :
>
>> Is that IP in your network or outside (I can ping it so I'm guessing it's
>> outside your network)?  Do you have a firewall between your asterisk box
>> and the internet?  Is there a WHITELIST of IP addresses that only allow
>> your provider's limited IP pool to connect to your asterisk box from
>> outside?
>>
>> If you are getting TFTP requests hitting your Asterisk box, they are not
>> properly being filtered at your firewall - ftp and tftp are considered
>> insecure communication methods, that port (69 I think) should be closed on
>> your firewall unless you have a really good reason to have it opened (and
>> unless you run a public FTP site, THERE IS NO GOOD REASON).
>>
>> Fail2Ban is a BLACKLIST method, blacklists are most effective after good
>> network hygiene is implemented, as you drastically limit the pool of
>> potential bad actors with a whitelist.
>>
>> Best,
>>
>> -Tim
>>
>> On Fri, Apr 21, 2017 at 9:38 AM, Dovid Bender 
>> wrote:
>>
>>> This is old news. They use Shodan and then try to connect. Set up
>>> Fail2Ban that say after 10 404's to ban the IP.
>>>
>>>
>>> On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis 
>>> wrote:
>>>
 I "justed" happened to look at /var/log/messages...

 I saw:
 Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename
 0004f2034f6b.cfg
 Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found
 0004f2034f6b.cfg
 Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename
 0004f2034f6c.cfg
 Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found
 0004f2034f6c.cfg
 Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename
 0004f2034f6d.cfg
 Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found
 0004f2034f6d.cfg
 Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename
 0004f2034f6e.cfg

 so basically an sequential read of polycom MAC address config files.
 Some is trying to read to determine if I have any polycom files just
 sequential read after read.
 And if so - it would get any extension and password at that time.
 Luckily I have none.

 However - how does one block attempts like this ?

 Thanks!

 Jerry

 --
 _
 -- Bandwidth and Colocation Provided by http://www.api-digital.com --

 Check out the new Asterisk community forum at:
 https://community.asterisk.org/

 New to Asterisk? Start here:
   https://wiki.asterisk.org/wiki/display/AST/Getting+Started

 asterisk-users mailing list
 To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

>>>
>>>
>>> --
>>> _
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> Check out the new Asterisk community forum at:
>>>

Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.

2017-04-21 Thread Victor Villarreal 
Hi David, Tim,

Try to use Bail2Ban at last resort. Fail2Ban is a ractive approach, that
permit the traffinc AND ONLY BLOCK them after certain level triggered.


Use iptables to block the unused services faced to public networks like
Internet. And configure these services properly, so they listen only
selected interfaces and IPs, and not from 0.0.0.0

2017-04-21 13:47 GMT-03:00 Tim S :

> Is that IP in your network or outside (I can ping it so I'm guessing it's
> outside your network)?  Do you have a firewall between your asterisk box
> and the internet?  Is there a WHITELIST of IP addresses that only allow
> your provider's limited IP pool to connect to your asterisk box from
> outside?
>
> If you are getting TFTP requests hitting your Asterisk box, they are not
> properly being filtered at your firewall - ftp and tftp are considered
> insecure communication methods, that port (69 I think) should be closed on
> your firewall unless you have a really good reason to have it opened (and
> unless you run a public FTP site, THERE IS NO GOOD REASON).
>
> Fail2Ban is a BLACKLIST method, blacklists are most effective after good
> network hygiene is implemented, as you drastically limit the pool of
> potential bad actors with a whitelist.
>
> Best,
>
> -Tim
>
> On Fri, Apr 21, 2017 at 9:38 AM, Dovid Bender  wrote:
>
>> This is old news. They use Shodan and then try to connect. Set up
>> Fail2Ban that say after 10 404's to ban the IP.
>>
>>
>> On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis 
>> wrote:
>>
>>> I "justed" happened to look at /var/log/messages...
>>>
>>> I saw:
>>> Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename
>>> 0004f2034f6b.cfg
>>> Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found
>>> 0004f2034f6b.cfg
>>> Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename
>>> 0004f2034f6c.cfg
>>> Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found
>>> 0004f2034f6c.cfg
>>> Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename
>>> 0004f2034f6d.cfg
>>> Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found
>>> 0004f2034f6d.cfg
>>> Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename
>>> 0004f2034f6e.cfg
>>>
>>> so basically an sequential read of polycom MAC address config files.
>>> Some is trying to read to determine if I have any polycom files just
>>> sequential read after read.
>>> And if so - it would get any extension and password at that time.
>>> Luckily I have none.
>>>
>>> However - how does one block attempts like this ?
>>>
>>> Thanks!
>>>
>>> Jerry
>>>
>>> --
>>> _
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>>
>>> New to Asterisk? Start here:
>>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>
>>
>> --
>> _
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.
> org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>



-- 
GnuPG Key ID: 0x39BCA9D8
https://www.github.com/mefhigoseth
...:::[ God Rulz ! ]:::...
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.

2017-04-21 Thread Tim S 
Is that IP in your network or outside (I can ping it so I'm guessing it's
outside your network)?  Do you have a firewall between your asterisk box
and the internet?  Is there a WHITELIST of IP addresses that only allow
your provider's limited IP pool to connect to your asterisk box from
outside?

If you are getting TFTP requests hitting your Asterisk box, they are not
properly being filtered at your firewall - ftp and tftp are considered
insecure communication methods, that port (69 I think) should be closed on
your firewall unless you have a really good reason to have it opened (and
unless you run a public FTP site, THERE IS NO GOOD REASON).

Fail2Ban is a BLACKLIST method, blacklists are most effective after good
network hygiene is implemented, as you drastically limit the pool of
potential bad actors with a whitelist.

Best,

-Tim

On Fri, Apr 21, 2017 at 9:38 AM, Dovid Bender  wrote:

> This is old news. They use Shodan and then try to connect. Set up Fail2Ban
> that say after 10 404's to ban the IP.
>
>
> On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis  wrote:
>
>> I "justed" happened to look at /var/log/messages...
>>
>> I saw:
>> Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename
>> 0004f2034f6b.cfg
>> Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found
>> 0004f2034f6b.cfg
>> Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename
>> 0004f2034f6c.cfg
>> Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found
>> 0004f2034f6c.cfg
>> Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename
>> 0004f2034f6d.cfg
>> Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found
>> 0004f2034f6d.cfg
>> Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename
>> 0004f2034f6e.cfg
>>
>> so basically an sequential read of polycom MAC address config files.
>> Some is trying to read to determine if I have any polycom files just
>> sequential read after read.
>> And if so - it would get any extension and password at that time.
>> Luckily I have none.
>>
>> However - how does one block attempts like this ?
>>
>> Thanks!
>>
>> Jerry
>>
>> --
>> _
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.
> org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.

2017-04-21 Thread Victor Villarreal 
Hi, Jerry,

I don't know what S.O. you have in the Server, but you can check the man
page (https://linux.die.net/man/8/in.tftpd) for tftpd and use the options
--address, so you can tell tftp from what interface/port this service
listen request.

>From the IP in your logs (69.64.57.18) the request came from a web hosting
provider (http://www.heg.com/). So, the request came from Internet, so your
server listen TFTP request from outside, what is bad.

You can use iptables in any Linux distro to block incoming TFTP traffic.
TFTP is a UDP protocol at port 69.

Example:

/sbin/iptables -A INPUT -i eth0 -p udp --destination-port 69 -j DROP

Change eth0 to the correct name of your public internet server interface.



2017-04-21 13:27 GMT-03:00 Jerry Geis :

> I "justed" happened to look at /var/log/messages...
>
> I saw:
> Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename
> 0004f2034f6b.cfg
> Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found
> 0004f2034f6b.cfg
> Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename
> 0004f2034f6c.cfg
> Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found
> 0004f2034f6c.cfg
> Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename
> 0004f2034f6d.cfg
> Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found
> 0004f2034f6d.cfg
> Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename
> 0004f2034f6e.cfg
>
> so basically an sequential read of polycom MAC address config files.
> Some is trying to read to determine if I have any polycom files just
> sequential read after read.
> And if so - it would get any extension and password at that time.
> Luckily I have none.
>
> However - how does one block attempts like this ?
>
> Thanks!
>
> Jerry
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.
> org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>



-- 
GnuPG Key ID: 0x39BCA9D8
https://www.github.com/mefhigoseth
...:::[ God Rulz ! ]:::...
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.

2017-04-21 Thread Dovid Bender 
This is old news. They use Shodan and then try to connect. Set up Fail2Ban
that say after 10 404's to ban the IP.


On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis  wrote:

> I "justed" happened to look at /var/log/messages...
>
> I saw:
> Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename
> 0004f2034f6b.cfg
> Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found
> 0004f2034f6b.cfg
> Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename
> 0004f2034f6c.cfg
> Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found
> 0004f2034f6c.cfg
> Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename
> 0004f2034f6d.cfg
> Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found
> 0004f2034f6d.cfg
> Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename
> 0004f2034f6e.cfg
>
> so basically an sequential read of polycom MAC address config files.
> Some is trying to read to determine if I have any polycom files just
> sequential read after read.
> And if so - it would get any extension and password at that time.
> Luckily I have none.
>
> However - how does one block attempts like this ?
>
> Thanks!
>
> Jerry
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.
> org/
>
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
>
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Hack attempt sequential config file read looking for valid files.

2017-04-21 Thread Derek Bolichowski 

From: asterisk-users-boun...@lists.digium.com 
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Jerry Geis
Sent: Friday, April 21, 2017 12:28 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion 
<asterisk-users@lists.digium.com>
Subject: [asterisk-users] Hack attempt sequential config file read looking for 
valid files.

I "justed" happened to look at /var/log/messages...

I saw:
Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename 0004f2034f6b.cfg
Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found 
0004f2034f6b.cfg
Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename 0004f2034f6c.cfg
Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found 
0004f2034f6c.cfg
Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename 0004f2034f6d.cfg
Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found 
0004f2034f6d.cfg
Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename 0004f2034f6e.cfg

so basically an sequential read of polycom MAC address config files.
Some is trying to read to determine if I have any polycom files just sequential 
read after read.
And if so - it would get any extension and password at that time.
Luckily I have none.

However - how does one block attempts like this ?

Thanks!

Jerry


Jerry,
Can you change to FTP Provisioning, or HTTPS etc? Atleast with FTP you can set 
a user/pass to your directory with mac.cfg to prevent open access.
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Hack attempt sequential config file read looking for valid files.

2017-04-21 Thread Jerry Geis 
I "justed" happened to look at /var/log/messages...

I saw:
Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename
0004f2034f6b.cfg
Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found
0004f2034f6b.cfg
Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename
0004f2034f6c.cfg
Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found
0004f2034f6c.cfg
Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename
0004f2034f6d.cfg
Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found
0004f2034f6d.cfg
Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename
0004f2034f6e.cfg

so basically an sequential read of polycom MAC address config files.
Some is trying to read to determine if I have any polycom files just
sequential read after read.
And if so - it would get any extension and password at that time.
Luckily I have none.

However - how does one block attempts like this ?

Thanks!

Jerry
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users