Hi guys,
i've seen this too, nagios woke me up because it was an extremely high
volume of tries.
I took a peek into the logs and saw that the attacker's script was
trying extensions from 1 to and then random names. I can see the
log in the messages file that several attempts failed
On Sun, 2010-10-31 at 11:39 -0600, Joel Maslak wrote:
To guess an 8 character (which is short) password that consists of random
upper case, lower case, numbers, and 10 symbols (there are more you can use
if you want), the average number of passwords that you would have to try to
get in is:
Unsuccessful attempts are recorded, however SIP-s is not easily doable on
asteridk 1.4. I tried once without any success. Maybe somebody who has
successfully implemented it can write a little how-to on it.
Zeeshan A Zakaria
--
www.ilovetovoip.com
www.pbxforall.com (beta)
On 2010-11-01 4:48 AM,
On 10/31/2010 11:26 AM, Joel Maslak wrote:
I suspect even munin would provide you such options. Not to mention any
more capable monitor.
I already have a monitor (tied into nagios, which pages me if my fraud
thresholds are exceeded), but I feel that is probably beyond
I just wanted to add my voice to this attack. I saw the morning that I had
200+ distinct ips since the weekend. I used a small perl script that blocks
failed usernames and passwords at iptables level I found thei morning :
On Sat, Oct 30, 2010 at 07:33:23PM -0600, Joel Maslak wrote:
The CPU usage is trivial to deny them. As is the bandwidth usage, if
you are not sitting on a slowish broadband connection.
s/slow/assymetric/
Sure blocking doesn't hurt, but does the help it provides exceed the
downsides
On 30 October 2010 19:28, Zeeshan Zakaria zisha...@gmail.com wrote:
My main asterisk server is under unusual heavy attack, and so far Fail2Ban
has blocked about 30 IPs, from various different countries. At this time it
is blocking about 1 IP address every few minutes.
Just wondering if
On Sun, 31 Oct 2010, Tzafrir Cohen wrote:
On Sat, Oct 30, 2010 at 01:43:49PM -0600, Joel Maslak wrote:
Is there really any benefit to blocking these, if you use good passwords?
Regardless of any threat from those attacks succeeding, they completely
saturated the uplink in our ADSL-connected
On Sun, Oct 31, 2010 at 2:40 AM, Tzafrir Cohen tzafrir.co...@xorcom.comwrote:
On Sat, Oct 30, 2010 at 07:33:23PM -0600, Joel Maslak wrote:
The CPU usage is trivial to deny them. As is the bandwidth usage, if
you are not sitting on a slowish broadband connection.
s/slow/assymetric/
A
I already have a monitor (tied into nagios, which pages me if my fraud
thresholds are exceeded), but I feel that is probably beyond the
abilities of most of the people experiencing call fraud. The people
who know what they are doing with Unix and Asterisk are generally not
the victims
On Sun, Oct 31, 2010 at 11:26 AM, Joel Maslak jmas...@antelope.net wrote:
If these are mobile users, I hope they never use any public networks
(hotels, starbucks) where other subscribers can do things like ARP attacks
to do MITM (and steal your calls; it might not be happening today, but it
On Sat, 30 Oct 2010, Joel Maslak wrote:
For me, monitoring outbound call volume makes a lot more sense. I would
love to see an easy to use, out of the box method to alert me if more
than x number of erlangs* are exceeded within a five minute, sixty
minute, and one day time period. For
On 10/31/2010 11:39 AM, Mark Deneen wrote:
On Sun, Oct 31, 2010 at 11:26 AM, Joel Maslakjmas...@antelope.net wrote:
If these are mobile users, I hope they never use any public networks
(hotels, starbucks) where other subscribers can do things like ARP attacks
to do MITM (and steal your
On Oct 31, 2010, at 9:57 AM, Jeff LaCoursiere j...@sunfone.com wrote:
This only tells you after it is way too late that you now have upstream
bills to wrangle with your carriers about, or (like in my case) that your
balance is now depeleted, if it trips anything at all.
In my very recent
On Oct 31, 2010, at 9:39 AM, Mark Deneen mden...@gmail.com wrote:
On Sun, Oct 31, 2010 at 11:26 AM, Joel Maslak jmas...@antelope.net wrote:
If these are mobile users, I hope they never use any public networks
(hotels, starbucks) where other subscribers can do things like ARP attacks
to do
Like I said before RUBBISH.
One should just ban/block IPs that are attacking you and not let them
connect at all. Not just protect against them with fancy passwords.
BTW, even your fancy passwords are breakable, can't wait for the day
that you'll wake up and smell the coffee.
On Sun, Oct 31, 2010
On Oct 31, 2010, at 9:40 AM, jon pounder j...@inline.net wrote:
what are you using that is tied to nagios ?
I'll package it up next week and make it available.
Basically, I use nrpe to call a shell script that looks at the last five
minutes, 60 minutes, and 1440 minutes of a asterisk -rx
On Sun, Oct 31, 2010 at 12:45 PM, Joel Maslak jmas...@antelope.net wrote:
On Oct 31, 2010, at 9:57 AM, Jeff LaCoursiere j...@sunfone.com wrote:
This only tells you after it is way too late that you now have upstream
bills to wrangle with your carriers about, or (like in my case) that your
To guess an 8 character (which is short) password that consists of random upper
case, lower case, numbers, and 10 symbols (there are more you can use if you
want), the average number of passwords that you would have to try to get in is:
(72^8) / 2 = 361,102,068,154,368 guesses
Over a 10 mb/s
On Sun, Oct 31, 2010 at 1:39 PM, Joel Maslak jmas...@antelope.net wrote:
To guess an 8 character (which is short) password that consists of random
upper case, lower case, numbers, and 10 symbols (there are more you can use
if you want), the average number of passwords that you would have to
On 10/31/2010 12:58 PM, Joel Maslak wrote:
On Oct 31, 2010, at 9:40 AM, jon pounderj...@inline.net wrote:
what are you using that is tied to nagios ?
I'll package it up next week and make it available.
Basically, I use nrpe to call a shell script that looks at the last five
On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria wrote:
My main asterisk server is under unusual heavy attack, and so far
Fail2Ban has blocked about 30 IPs, from various different countries.
At this time it is blocking about 1 IP address every few minutes.
Just wondering if anybody else is
On Sun, Oct 31, 2010 at 3:45 PM, Niles Ingalls ni...@atheos.net wrote:
On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria wrote:
My main asterisk server is under unusual heavy attack, and so far
Fail2Ban has blocked about 30 IPs, from various different countries.
At this time it is blocking
On Sun, Oct 31, 2010 at 3:45 PM, Niles Ingalls ni...@atheos.net wrote:
On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria wrote:
My main asterisk server is under unusual heavy attack, and so far
Fail2Ban has blocked about 30 IPs, from various different countries.
At this time it is blocking
My main asterisk server is under unusual heavy attack, and so far Fail2Ban
has blocked about 30 IPs, from various different countries. At this time it
is blocking about 1 IP address every few minutes.
Just wondering if anybody else is also experiencing unusually increased hack
attempts today?
Me too.
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Zeeshan Zakaria
Sent: Saturday, October 30, 2010 11:29 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] Under heavy attack
My main
I'm experiencing this on one of my clients servers. The attack is ongoing.
Thanks,
--Warren Selby
On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria zisha...@gmail.com wrote:
My main asterisk server is under unusual heavy attack, and so far Fail2Ban
has blocked about 30 IPs, from various
Is there really any benefit to blocking these, if you use good passwords?
On Sat, Oct 30, 2010 at 1:20 PM, Warren Selby wcse...@selbytech.com wrote:
I'm experiencing this on one of my clients servers. The attack is ongoing.
Thanks,
--Warren Selby
On Oct 30, 2010, at 2:28 PM, Zeeshan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
We are also seeing an increase in attacks. And yes, there is a benefit
to blocking them. They tend to go away if you have them restricted,
where if you let them go at it, they will sit on your host for sometimes
hours.
Stu
On 10/30/2010 12:43 PM,
On 10/30/2010 04:07 PM, Stuart Sheldon wrote:
any registry of abusers like for spam ?
any list of complete ip ranges for countries where abuse is rampant to
block ?
I am getting sick of the one offs and ready to start blocking big chunks
of address space.
-BEGIN PGP SIGNED
On Sat, 2010-10-30 at 14:28 -0400, Zeeshan Zakaria wrote:
My main asterisk server is under unusual heavy attack, and so far
Fail2Ban has blocked about 30 IPs, from various different countries.
At this time it is blocking about 1 IP address every few minutes.
Just wondering if anybody else is
-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Hans Witvliet
Sent: Saturday, October 30, 2010 6:11 PM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] Under heavy attack
On Sat, 2010-10-30
You kidding?
On Sat, Oct 30, 2010 at 3:43 PM, Joel Maslak jmas...@antelope.net wrote:
Is there really any benefit to blocking these, if you use good passwords?
On Sat, Oct 30, 2010 at 1:20 PM, Warren Selby wcse...@selbytech.com wrote:
I'm experiencing this on one of my clients servers. The
On Sat, Oct 30, 2010 at 01:43:49PM -0600, Joel Maslak wrote:
Is there really any benefit to blocking these, if you use good passwords?
Regardless of any threat from those attacks succeeding, they completely
saturated the uplink in our ADSL-connected office.
What are they after, anyway? Merely
No. It seems that opening up some sort of automatic blocking could cause an
attacker forging packets to block legitimate endpoints. It also seems like they
won't get in with good passwords, so it isn't actually accomplishing something
to worry about the script kiddies if you have good
Ah, that makes sense - I probably would restrict to only known endpoints by IP
address if I has only DSL bandwidth. But blocking attackers makes sense if
that isn't an option.
Yes, they are after cheap calls.
On Oct 30, 2010, at 7:23 PM, Tzafrir Cohen tzafrir.co...@xorcom.com wrote:
On Sat,
My count has reached 100 for the day. The server serves doesn't serve
international calls anyways, I wonder how would it benefit any hacker in any
way.
--
Zeeshan
Sat, Oct 30, 2010 at 9:33 PM, Joel Maslak jmas...@antelope.net wrote:
No. It seems that opening up some sort of automatic
On Sun, Oct 31, 2010 at 03:23:52AM +0200, Tzafrir Cohen wrote:
On Sat, Oct 30, 2010 at 01:43:49PM -0600, Joel Maslak wrote:
Is there really any benefit to blocking these, if you use good passwords?
Regardless of any threat from those attacks succeeding, they completely
saturated the uplink
They have agreements for termination to locations with high rates.
These types of attacks happen on servers that fit a digital signature.
With certain ports or certain versions of software on those ports.
Yes the Art of War is required reading for todays systems
administration professionals...
To me it seems the real question is What is going on today?. I normally get
eight to ten asterisk-related fail2ban alerts a day between a few client sites
- today I've received at least 10 times that many attacks on just one site.
These are all coming in from different ip addresses, a new one
On 10/30/2010 11:25 PM, Warren Selby wrote:
To me it seems the real question is What is going on today?. I normally get
eight to ten asterisk-related fail2ban alerts a day between a few client
sites - today I've received at least 10 times that many attacks on just one
site. These are all
30, 2010 11:29 AM
*To:* Asterisk Users Mailing List - Non-Commercial Discussion
*Subject:* [asterisk-users] Under heavy attack
My main asterisk server is under unusual heavy attack, and so far
Fail2Ban has blocked about 30 IPs, from various different countries.
At this time it is blocking about
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/30/2010 08:25 PM, Warren Selby wrote:
To me it seems the real question is What is going on today?. I
normally get eight to ten asterisk-related fail2ban alerts a day
between a few client sites - today I've received at least 10 times
that
One word: Rubbish
On Sat, Oct 30, 2010 at 9:33 PM, Joel Maslak jmas...@antelope.net wrote:
No. It seems that opening up some sort of automatic blocking could cause an
attacker forging packets to block legitimate endpoints. It also seems like
they won't get in with good passwords, so it
44 matches
Mail list logo