Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
This brings up a side issue. Banks on the Internet have had to provide a sort of insurance that allows the customer to be protected if someone hacks in to his or her account. ITSP will need to think carefully about having a similar policy that protects people from an attack to the provider, no? What do those of you who sell these services thing about liability? Has anyone come up with a statement on this? /r ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
On Wed, 25 Mar 2009, Zeeshan Zakaria wrote: Thanks Gordon for your suggestions and advices. I changed the passwords same day, and was monitoring my system very closely. I also use a non standard port for SSH, and also plan to move my SIP port to a non standard one too in future. At this time things are ok, but I know that this problem is growing very fast, and hackers are after VoIP servers because they can do so much with them. I had to present a seminar few weeks ago on VoIP Security Threats, and while doing my own research, I was shocked to know how hackers are misusing VoIP technology. We definitely need to come up with some really good and effective solutions against these threats. There are other more advanced things you can do with iptables which I've been looking at - but the esence is to count/time new connections to a particular service from each IP address and if more connections per unit of time happen, then apply a temporary block for a bigger period of time. This works for ssh when you know there are only a small number of people who might connect in, but for SIP, you need to check the timings carefully, although one thing I've had issues with is Snom phones which seem to be overly enthusiastic when the end-user has the wrong password in them - they keep trying to register 2 or 3 times a second )-: Gordon -- Zeeshan A Zakaria On Tue, Mar 24, 2009 at 2:01 PM, Roderick A. Anderson raand...@cyber-office.net wrote: Wilton Helm wrote: If life were only that simple. A lot of hacking passes through unsuspecting intermediary computers, precisely to hide their tracks, not to mention IP spoofing. People have offered for sale access to 10,000 computers to use for propagating mischief. That's a lot of IPs to block! I got hacked about six months ago. They came in through SSH and figured out roots password, which was a concatenation of two English words. I presume they did a dictionary search. I used to get hit very hard with these type of attacks (hundreds to thousands per day) on 25-30 servers until I added some iptables rules to REJECT the offending IP for 5 minutes after three unsuccessful attempts in 60 seconds. The attacks typically have dropped to less than five per day. This means those that need access don't need to make _odd_ changes to standard programs' setting and the rules do allow a whitelisting of specific IPs. \\||/ Rod -- Then they changed the password, replaced some key files and launched a denial of service attack against somebody (including compiling the program on my machine)! I traced the IP address to a Comcast customer in Indiana or something and notified Comcast, but haven't heard anything. Probably their customer never even knew it happened--it was probably a hijacked situation. Prior to that I had been logging hundreds of robotic attacks a day that were unsuccessful! I re-installed everything and changed my SSH to a non-standard port and used a more robust password. I haven't had a single hack attempt the four months since. For my purposes, I don't really need SSH on a standard port. That made all the difference in the world. Two areas that have had large hacker presences in the past: Russia and China. A lot of E-Mail spam originates in those two areas, also. I've considered blocking the entire host domain for any provider generating spam from those regions, as I have no legitimate business need to correspond with people in those regions in general. However, I suspect it might block messages from a few users on this list, and I know it would block at least one user from another list I am on. Wilton ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
randulo wrote: This brings up a side issue. Banks on the Internet have had to provide a sort of insurance that allows the customer to be protected if someone hacks in to his or her account. ITSP will need to think carefully about having a similar policy that protects people from an attack to the provider, no? What do those of you who sell these services thing about liability? Has anyone come up with a statement on this? /r The customer IS protected because it's excellent marketing for the bank or credit card provider. If someone steals my card number and racks up a bunch of charges, I'm often not liable for those charges (dependent, of course, on bank policy). However, the seller who was duped into selling those items because the bank approved the charges on the card? They're simply out of luck. They're charged any relevant charge-back fees AND are out any fees for services or product losses they may have incurred. The bank still gets its money. In the end, SOMEone has to pay. As an end-point ITSP, I can assure you, it would be us who's assessed the requisite charges. If someone uses a fraudulent card, we're required to pay. If someone uses a three letter password on his account, and it's hacked into and uses to rack up charges, we have to pay. In the purely virtual sense, as we're often selling to people we've never met via the Internet, it becomes difficult to say with any certainty if the person who logged into the account and used up the account's money is a hacker or just the account holder who doesn't want to own up to the charges. It puts us in a difficult position. Obviously, in some cases, this becomes more obvious. If the account holder is in the UK and the calls come in from China or Nigeria or Turkey or some such, it would be more likely to be suspect and if the account holder challenged the charges, we might be more liable to work with him or her. However, for the most part, we require a certain 'strength' of password to be used, and we rely on safeguards and monitors on the site itself to try and avoid brute force hacks. With no evidence for a brute force attempt or some other security failure on our side, we're somewhat at the mercy of logic to assume that calls from a customer's premises using a customer's account actually came from the customer, and I think we might be hard pressed to simply ignore said charges. If the security failure is clearly ours, though, I don't think it would be at all reasonable to expect the customer to accept responsibility. I'd be especially wary of a company that blamed the customer for its own security failings. -- Neil Fusillo CEO Infinideas, inc. http://www.ideasip.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
On Thu, Mar 26, 2009 at 1:32 PM, SIP s...@arcdiv.com wrote: As an end-point ITSP, I can assure you, it would be us who's assessed the requisite charges. If someone uses a fraudulent card, we're required to pay. If someone uses a three letter password on his account, and it's hacked into and uses to rack up charges, we have to pay. Neil, It hadn't occurred to me when writing it, but obviously there are situations that don't match the banking paradigm. For example, suppose I run my own asterisk, I have a contract with a company like yours and you have my banking info with an authorization to top up. If the fraud is someone on the banking end (hacked my card details for example) that's covered by the bank. But if they brute force hacked my asterisk install because the extension, the username and the secret are all '2005' and then make $100k worth of calls, people like lawyers and judges won't easily see that it's the asterisk install that's responsible, not your company or even the bank. I wonder what steps can be taken legally right now to make responsibilities clearer to the legal world? I once had a guy break in to my house and call his girlfriend in Mexico about 50 times in two weeks. When I called Pacific Bell, the operator placed a call to the number, the woman (stupidly!) admitted, yes I know Luis, he calls me all the time and even though the operator heard this, PB still refused to exempt those charges and go after the guy. I closed my PB account and opened a new one under a variation of my name. /r ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
randulo wrote: On Thu, Mar 26, 2009 at 1:32 PM, SIP s...@arcdiv.com wrote: As an end-point ITSP, I can assure you, it would be us who's assessed the requisite charges. If someone uses a fraudulent card, we're required to pay. If someone uses a three letter password on his account, and it's hacked into and uses to rack up charges, we have to pay. Neil, It hadn't occurred to me when writing it, but obviously there are situations that don't match the banking paradigm. For example, suppose I run my own asterisk, I have a contract with a company like yours and you have my banking info with an authorization to top up. If the fraud is someone on the banking end (hacked my card details for example) that's covered by the bank. But if they brute force hacked my asterisk install because the extension, the username and the secret are all '2005' and then make $100k worth of calls, people like lawyers and judges won't easily see that it's the asterisk install that's responsible, not your company or even the bank. I wonder what steps can be taken legally right now to make responsibilities clearer to the legal world? I once had a guy break in to my house and call his girlfriend in Mexico about 50 times in two weeks. When I called Pacific Bell, the operator placed a call to the number, the woman (stupidly!) admitted, yes I know Luis, he calls me all the time and even though the operator heard this, PB still refused to exempt those charges and go after the guy. I closed my PB account and opened a new one under a variation of my name. /r Indeed, the old method of this sort of fraud involved a lineman's handset or a phone modified with alligator clips to attach to the NID outside the home of someone not in town, thereby being able to call long distance on someone else's bill. I've heard of NO cases in which the phone company accepted liability for those charges, even if they forgot to lock the NID itself. For all intents and purposes, it's a telco-installed back door into your system with poor overall security. The problem with getting the legal system to understand whose responsibility this is is a difficult one. Politics and an overall lack of good, unbiased information has always affected legislation and, as such, jurisprudence. Politicians neither know nor tend to care about the finer points of technology and how it may be used. They rely on advisors to tell them the bullet-point version of any issue before they make a snap decision on whether it's expedient to back it legislatively. These advisors are either lobbyists, PACs, or advised by such, and all of them have an agenda. I can assure you that the agenda of the home or home business with Asterisk is not heard. Ever. This leaves a judge to make a decision should it come to court, and it could go either way, but it would be a messy and expensive battle, and the decision of the judge would be tempered by what's written into the law, which right now is hardly kept up to date for modern technologies. In a situation like ours, we'd be dealing with legal systems in a variety of countries, which would make things even more complex. I think step one in this sort of fight is, and has always been, having a true political voice that can be heard above the din of established special-interest groups. The VON Coalition was an idea like this, but it's an incredibly exclusive membership -- designed for companies making hundreds of millions if not billions a year in revenue. With minimum annual dues of $10,000 or more, it's quite reasonable as a semi-democratic organisation for business making $500,000,000 a year. For smaller companies, it's laughable. And so, the voices heard are the ones which were heard before -- the ATTs, the British Telecoms, the Comcasts, and the Verizons of the world. It becomes just another avenue to get the same political point across. A second opinion that's guaranteed to be the same as the first, as it were. And so, in answer to your question, I don't think there ARE necessarily steps that can be taken right now to ensure that there's a rational approach to the resolution of such an issue of fraud. Barring some sort of major legal precedent, it's going to be anyone's guess how the verdict comes out in the end. -- Neil Fusillo CEO Infinideas, inc. http://www.ideasip.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
On Thu, Mar 26, 2009 at 2:38 PM, SIP s...@arcdiv.com wrote: And so, in answer to your question, I don't think there ARE necessarily steps that can be taken right now to ensure that there's a rational approach to the resolution of such an issue of fraud. Barring some sort of major legal precedent, it's going to be anyone's guess how the verdict comes out in the end. Hence the need for all of us, everywhere to step up measures to prevent as much as possible, the unlawful use of a system. Maybe some kind of (optional modular) monitor or engine could be built for the asterisk platform to at least send alerts when it deduces suspicious activity? r ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
Yes, i agree with this !.. People are stupid and or stressed like hell , jumping head first in crap and then forgetting about what they just said or done. They Google some crap question copy/paste the first result dialplan/sip.conf stanza etc.. and assume it will work.. lolIt's open source aint'it ? it should be easy as building cities with legos.../lol So then comes in the problems, instead of understanding the core of the problem at hand, they jump to quick answers and solutions, which of course are usually 90% wrong... Google is not an encyclopaedia.. it's an archive of everyone's thoughts, and notes. So now you got extension 123 pass 123 context default, where context default - include demo... include ld, include International... Every hacker out there has the tools to check for those, and of course when the server answers with invalid password instead of something else, it gives them a hint that 123 is in fact an extension.. they won't BRUTE force anything, there's so many open SIP boxes out there, it's scary... It's a vicious circle, people don't learn , so apps like trixbox etc make it easier for them , which in turns opens up the problems.. Then again are we asking MR smith to learn networking security fundamentals ? programming habbits , etc ? This is a tool that was made for developers by developers, went mainstream , making cash , and now it's a commercial swiss army knife with no crowd control. I really like the default #REMOVE ME in some apps to make something work.. as i am too really used to start the damn app without even looking at most of it. But once you get hit.. you will get hit hard, and then comes the learning... Seems that's the society these days. Contacttel Support -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of randulo Sent: March-26-09 9:03 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses? On Thu, Mar 26, 2009 at 1:32 PM, SIP s...@arcdiv.com wrote: As an end-point ITSP, I can assure you, it would be us who's assessed the requisite charges. If someone uses a fraudulent card, we're required to pay. If someone uses a three letter password on his account, and it's hacked into and uses to rack up charges, we have to pay. Neil, It hadn't occurred to me when writing it, but obviously there are situations that don't match the banking paradigm. For example, suppose I run my own asterisk, I have a contract with a company like yours and you have my banking info with an authorization to top up. If the fraud is someone on the banking end (hacked my card details for example) that's covered by the bank. But if they brute force hacked my asterisk install because the extension, the username and the secret are all '2005' and then make $100k worth of calls, people like lawyers and judges won't easily see that it's the asterisk install that's responsible, not your company or even the bank. I wonder what steps can be taken legally right now to make responsibilities clearer to the legal world? I once had a guy break in to my house and call his girlfriend in Mexico about 50 times in two weeks. When I called Pacific Bell, the operator placed a call to the number, the woman (stupidly!) admitted, yes I know Luis, he calls me all the time and even though the operator heard this, PB still refused to exempt those charges and go after the guy. I closed my PB account and opened a new one under a variation of my name. /r ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
randulo wrote: On Thu, Mar 26, 2009 at 2:38 PM, SIP s...@arcdiv.com wrote: And so, in answer to your question, I don't think there ARE necessarily steps that can be taken right now to ensure that there's a rational approach to the resolution of such an issue of fraud. Barring some sort of major legal precedent, it's going to be anyone's guess how the verdict comes out in the end. Hence the need for all of us, everywhere to step up measures to prevent as much as possible, the unlawful use of a system. Maybe some kind of (optional modular) monitor or engine could be built for the asterisk platform to at least send alerts when it deduces suspicious activity? r There are generally two approaches to this. Neither is necessarily 'correct,' but one is considerably less unwise. The first approach is the current approach: build software with little thought to how it will be secured, opting for all the work of securing the product once it's been implemented to come down to a requirement for the deployer to both know and, more importantly, understand good security practices. This has a value for enthusiasts because many of them will be running the service just in a home network or test environment, and it lets them get things up and running without worrying about all the little issues that might get in the way of a quickly-deployed system. It's essentially like choosing 'install everything' on a linux install and opting to have no firewall. It's wonderfully easy to deploy and there are no weird rules getting in the way of using the system immediately. It's also a really REALLY (I can't stress how strongly enough) bad idea if you're building a product that is deployed by more than just enthusiasts and will ever be in any remote way tied to someone's finances (including, but not limited to, telephone access charges, bandwidth fees, etc). The second approach is to build the product to be as secure as it can possibly be right out of the box, and require those deploying it to essentially remove levels of security in order to get things working in a particular environment. This also requires a certain knowledge of security practices, and it relies on those deploying the product to understand that the errors they may be seeing on deployment are likely to do with security feature X or Y. This takes time and a lot of work, because every component of the system has to be hardened and tested to ensure a seamless security model throughout without worries about incompatibilities in the basic security model between modules of a complex system. It also makes the system harder to deploy out of the box because it requires tailoring for the specific environment not just to handle a different user base, but also simply to work. I think there's a lot of push back on this sort of model for something like Asterisk because people feel that security should be this nebulous thing that exists 'somewhere else.' But in reality, security starts with the software itself and works outward. Just as you can't build a stable house on an unstable foundation, any weak link in the security chain is an invitation to disrupt the entire system with an exploit. And the weak link in MANY systems when it comes to security is the knowledge of the person deploying it. I believe a certain level of high grade security should certainly be built into Asterisk, and that it should have an overall security model, as well as documentation discussing the security of the system and the parameters that accompany it. Not only would this alleviate the concerns of many people deploying, but it would be excellent marketing. Have you seen the number of cars that advertise their side-impact air bags, safety rating, and other such features? Nothing will keep a person from killing himself in a car if he chooses not to wear a seatbelt and drive unsafely in heavy traffic. But if he's in a car without seatbelts? Or with a horrible crash test rating? Chances are he may end up getting hurt anyway. Even if he makes sure he drives carefully. -- Neil Fusillo CEO Infinideas, inc. http://www.ideasip.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
On Thu, Mar 26, 2009 at 4:19 PM, SIP s...@arcdiv.com wrote: The first approach is the current approach: build software with little thought to how it will be secured, opting for all the work of securing What about SIP itself? Does it provide enough crypto to be solid? Or is that handled only by the layer above it? /r ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
Gordon wrote: There are other more advanced things you can do with iptables which I've been looking at - but the esence is to count/time new connections to a particular service from each IP address and if more connections per unit of time happen, then apply a temporary block for a bigger period of time. This works for ssh when you know there are only a small number of people who might connect in, but for SIP, you need to check the timings carefully, although one thing I've had issues with is Snom phones which seem to be overly enthusiastic when the end-user has the wrong password in them - they keep trying to register 2 or 3 times a second )-: I few years ago I noticed and quickly became annoyed by the volume of dictionary attacks on my home server. No one broke in, but the logs were becoming useless. Since installing it my logs are once again readable, and I have a nice long list of naughty addresses in my iptables DROP table. I found a package called sshdfilter that can add and remove iptables rules based on a number of conditions- 1. Invalid username - block immediately 2. Valid username w/invalid password - block after x attempts It supports white-listing so that a slip of the finger does not lock you out from a trusted host. The setup is fairly simple and system load is minimal. The package works by parsing syslog messages, and it appears that it could be extended to cover VoIP attacks, as long as the system is logging failed authentication attempts. Dan ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
randulo wrote: On Thu, Mar 26, 2009 at 4:19 PM, SIP s...@arcdiv.com wrote: The first approach is the current approach: build software with little thought to how it will be secured, opting for all the work of securing What about SIP itself? Does it provide enough crypto to be solid? Or is that handled only by the layer above it? /r ___ SIP CAN be reasonably secure, but it suffers from some inherent issues in the protocol for which things like TLS and the like were developed. It's still comparatively new, and it's a draft that I think needs some work. But it also suffers from an increasing amount of competition from upstarts that are trying to muddy the field somewhat (IAX, Jingle, etc.) and position themselves as the 'new' and 'better' way to address communication. This detracts from a unified methodology -- even if only somewhat. SIP is, for all intents and purposes, as secure as vanilla SMTP email. In fact, SIP was designed to closely resemble a combination of SMTP and HTTP to make it easy to implement and process. However, like both SMTP and HTTP, I think what SIP needs is a solid roll out of a secure layer over and above the MD5 hashes commonly used to pass passwords -- but that isn't really necessary to secure the protocol from password-sniffing ne'er-do-wells who are out to steal your accounts. SIP was written in such a way that the hashes it sends for passwords could, with only a trivial rewrite of the server code, be SHA1 instead of MD5 -- which would increase security to the level that, currently, it would be far more trouble than it's worth to even bother to attempt to crack. For keeping people out of your paid accounts, this would make SIP quite secure. The only issue most people have with SIP at the moment is that, if you're sniffing the network, you can read the SIP messages themselves, even if you can't crack the passwords, so even with SRTP or some other form of RTP encryption to protect the voice, your basic privacy is still at risk. But to protect money? I think SIP is perfectly fine even without TLS. It just needs a change in commonly-used password hashing to alleviate the concerns people have with the breakability of MD5. -- Neil Fusillo CEO Infinideas, inc. http://www.ideasip.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
http://www.google.com/search?q=asterisk+brute+force+prevention http://etel.wiki.oreilly.com/wiki/index.php/Asterisk_Brute_Force_Prevention =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP Enough research will tend to support your conclusions. - Arthur Bloch A conclusion is the place where you got tired of thinking - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
On 27/03/2009 3:32 a.m., randulo wrote: On Thu, Mar 26, 2009 at 2:38 PM, SIPs...@arcdiv.com wrote: And so, in answer to your question, I don't think there ARE necessarily steps that can be taken right now to ensure that there's a rational approach to the resolution of such an issue of fraud. Barring some sort of major legal precedent, it's going to be anyone's guess how the verdict comes out in the end. Hence the need for all of us, everywhere to step up measures to prevent as much as possible, the unlawful use of a system. Maybe some kind of (optional modular) monitor or engine could be built for the asterisk platform to at least send alerts when it deduces suspicious activity? There are a few options we use here. 1. Snort with SIP rules - detects brute forces, floods etc - just a notification 2. fail2ban - blocks hosts who attack at the iptables level 3. exception reporting - our billing sends SMS messages if a customer uses a lot more than their average spend - i.e. if they normally spend $10 a month and they have just spent $20 in ten minutes then an SMS is sent - while this isn't conclusive, it does warn you that something might be going on. -- Kind Regards, Matt Riddell Director ___ http://www.venturevoip.com (Great new VoIP end to end solution) http://www.venturevoip.com/news.php (Daily Asterisk News - html) http://www.venturevoip.com/newrssfeed.php (Daily Asterisk News - rss) ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
SIP was written in such a way that the hashes it sends for passwords could, with only a trivial rewrite of the server code, be SHA1 instead of MD5 -- which would increase security to the level that, currently, it would be far more trouble than it's worth to even bother to attempt to crack. I strongly doubt that the known weaknesses in the MD5 hash are the weak point in SIP account security. Weak passwords are almost certainly much more of a problem. Performing a dictionary attack is going to be a lot faster than attempting a brute-force mathematical attack against MD5... and switching from MD5 to SHA-1 provides no significant defense against dictionary attacks. The only good way to keep passwords secure against dictionary attacks, is to make sure that the passwords aren't guessable by that means... no common words, no names, no simple permutations or birthdates or anything like that. Use a decent random-number generator and number-to-character conversion algorithm to generate SIP passwords that are sufficiently long and very dtr8fbwf_==...@\.-+!n$ and you'll be well defended. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
Dave Platt wrote: SIP was written in such a way that the hashes it sends for passwords could, with only a trivial rewrite of the server code, be SHA1 instead of MD5 -- which would increase security to the level that, currently, it would be far more trouble than it's worth to even bother to attempt to crack. I strongly doubt that the known weaknesses in the MD5 hash are the weak point in SIP account security. Weak passwords are almost certainly much more of a problem. Performing a dictionary attack is going to be a lot faster than attempting a brute-force mathematical attack against MD5... and switching from MD5 to SHA-1 provides no significant defense against dictionary attacks. The only good way to keep passwords secure against dictionary attacks, is to make sure that the passwords aren't guessable by that means... no common words, no names, no simple permutations or birthdates or anything like that. Use a decent random-number generator and number-to-character conversion algorithm to generate SIP passwords that are sufficiently long and very dtr8fbwf_==...@\.-+!n$ and you'll be well defended. I'm referring to the weak link in the SIP protocol. Not in Asterisk's SIP accounts. The question was whether or not SIP itself was secure. -- Neil Fusillo CEO Infinideas, inc. http://www.ideasip.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
Thanks Gordon for your suggestions and advices. I changed the passwords same day, and was monitoring my system very closely. I also use a non standard port for SSH, and also plan to move my SIP port to a non standard one too in future. At this time things are ok, but I know that this problem is growing very fast, and hackers are after VoIP servers because they can do so much with them. I had to present a seminar few weeks ago on VoIP Security Threats, and while doing my own research, I was shocked to know how hackers are misusing VoIP technology. We definitely need to come up with some really good and effective solutions against these threats. -- Zeeshan A Zakaria On Tue, Mar 24, 2009 at 2:01 PM, Roderick A. Anderson raand...@cyber-office.net wrote: Wilton Helm wrote: If life were only that simple. A lot of hacking passes through unsuspecting intermediary computers, precisely to hide their tracks, not to mention IP spoofing. People have offered for sale access to 10,000 computers to use for propagating mischief. That's a lot of IPs to block! I got hacked about six months ago. They came in through SSH and figured out roots password, which was a concatenation of two English words. I presume they did a dictionary search. I used to get hit very hard with these type of attacks (hundreds to thousands per day) on 25-30 servers until I added some iptables rules to REJECT the offending IP for 5 minutes after three unsuccessful attempts in 60 seconds. The attacks typically have dropped to less than five per day. This means those that need access don't need to make _odd_ changes to standard programs' setting and the rules do allow a whitelisting of specific IPs. \\||/ Rod -- Then they changed the password, replaced some key files and launched a denial of service attack against somebody (including compiling the program on my machine)! I traced the IP address to a Comcast customer in Indiana or something and notified Comcast, but haven't heard anything. Probably their customer never even knew it happened--it was probably a hijacked situation. Prior to that I had been logging hundreds of robotic attacks a day that were unsuccessful! I re-installed everything and changed my SSH to a non-standard port and used a more robust password. I haven't had a single hack attempt the four months since. For my purposes, I don't really need SSH on a standard port. That made all the difference in the world. Two areas that have had large hacker presences in the past: Russia and China. A lot of E-Mail spam originates in those two areas, also. I've considered blocking the entire host domain for any provider generating spam from those regions, as I have no legitimate business need to correspond with people in those regions in general. However, I suspect it might block messages from a few users on this list, and I know it would block at least one user from another list I am on. Wilton ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
If life were only that simple. A lot of hacking passes through unsuspecting intermediary computers, precisely to hide their tracks, not to mention IP spoofing. People have offered for sale access to 10,000 computers to use for propagating mischief. That's a lot of IPs to block! I got hacked about six months ago. They came in through SSH and figured out roots password, which was a concatenation of two English words. I presume they did a dictionary search. Then they changed the password, replaced some key files and launched a denial of service attack against somebody (including compiling the program on my machine)! I traced the IP address to a Comcast customer in Indiana or something and notified Comcast, but haven't heard anything. Probably their customer never even knew it happened--it was probably a hijacked situation. Prior to that I had been logging hundreds of robotic attacks a day that were unsuccessful! I re-installed everything and changed my SSH to a non-standard port and used a more robust password. I haven't had a single hack attempt the four months since. For my purposes, I don't really need SSH on a standard port. That made all the difference in the world. Two areas that have had large hacker presences in the past: Russia and China. A lot of E-Mail spam originates in those two areas, also. I've considered blocking the entire host domain for any provider generating spam from those regions, as I have no legitimate business need to correspond with people in those regions in general. However, I suspect it might block messages from a few users on this list, and I know it would block at least one user from another list I am on. Wilton ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is there a public blacklist of hackers' IPaddresses?
Wilton Helm wrote: If life were only that simple. A lot of hacking passes through unsuspecting intermediary computers, precisely to hide their tracks, not to mention IP spoofing. People have offered for sale access to 10,000 computers to use for propagating mischief. That's a lot of IPs to block! I got hacked about six months ago. They came in through SSH and figured out roots password, which was a concatenation of two English words. I presume they did a dictionary search. I used to get hit very hard with these type of attacks (hundreds to thousands per day) on 25-30 servers until I added some iptables rules to REJECT the offending IP for 5 minutes after three unsuccessful attempts in 60 seconds. The attacks typically have dropped to less than five per day. This means those that need access don't need to make _odd_ changes to standard programs' setting and the rules do allow a whitelisting of specific IPs. \\||/ Rod -- Then they changed the password, replaced some key files and launched a denial of service attack against somebody (including compiling the program on my machine)! I traced the IP address to a Comcast customer in Indiana or something and notified Comcast, but haven't heard anything. Probably their customer never even knew it happened--it was probably a hijacked situation. Prior to that I had been logging hundreds of robotic attacks a day that were unsuccessful! I re-installed everything and changed my SSH to a non-standard port and used a more robust password. I haven't had a single hack attempt the four months since. For my purposes, I don't really need SSH on a standard port. That made all the difference in the world. Two areas that have had large hacker presences in the past: Russia and China. A lot of E-Mail spam originates in those two areas, also. I've considered blocking the entire host domain for any provider generating spam from those regions, as I have no legitimate business need to correspond with people in those regions in general. However, I suspect it might block messages from a few users on this list, and I know it would block at least one user from another list I am on. Wilton ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
