Re: [asterisk-users] stopping unwanted attempts
On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards asterisk@sedwards.comwrote: On Sat, 18 Jan 2014, Jerry Geis wrote: I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '202 sip:202@X:5060' failed for '37.8.12.147:26832' - Wrong password What is the correct way to block these idiots so they don't even get this far. Use iptables to allow packets from your legitimate users, block everybody else. If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc. Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest. I see a problem here; firstly that it is no longer so simple to determine the IP ranges of countries. Things have been fractured quite a bit; you might have to hire out a service to determine true geographic origination. Even then, if your service is a little behind, you might occasionally feel the displeasure of users unable to talk to your servers. How will you handle this, with a white-list? How much effort will you end up committing to keeping your whitelist up to date? Nextly, the well-financed operations running such probes need not use machines in their native countries. There are plenty of US-based machines that can be ( and are ) compromised. In other words, don't forget the fail2ban part! Here's another idea! How about changing your port from 5060 to something different, maybe 7067 or some other number that is not popularly being used? You'll provision your phones to use this port, and the scanners will not find you. Seems a much simpler solution... but there are some drawbacks... can anyone think of them? And will these drawbacks matter to you? And, given this solution, will the odds that a scanner might find your machine be so low, that it is not worth using something like fail2ban to override them? Food for thought! murf -- Steve Murphy ParseTree Corporation 57 Lane 17 Cody, WY 82414 ✉ murf at parsetree dot com ☎ 307-899-5535 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
fail2ban is so easy to set up, there is no reason not to set it up. The geography problems are not so bad unless you have phones all over the world or people travelling with softphones to countries that you want to block. It does not block incoming calls only people who want to mimic your own legitimate phones. Ron On 19/01/2014 9:40 AM, Steve Murphy wrote: On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards asterisk@sedwards.com mailto:asterisk@sedwards.com wrote: On Sat, 18 Jan 2014, Jerry Geis wrote: I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '202 sip:202@X:5060' failed for '37.8.12.147:26832 http://37.8.12.147:26832' - Wrong password What is the correct way to block these idiots so they don't even get this far. Use iptables to allow packets from your legitimate users, block everybody else. If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc. Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest. I see a problem here; firstly that it is no longer so simple to determine the IP ranges of countries. Things have been fractured quite a bit; you might have to hire out a service to determine true geographic origination. Even then, if your service is a little behind, you might occasionally feel the displeasure of users unable to talk to your servers. How will you handle this, with a white-list? How much effort will you end up committing to keeping your whitelist up to date? Nextly, the well-financed operations running such probes need not use machines in their native countries. There are plenty of US-based machines that can be ( and are ) compromised. In other words, don't forget the fail2ban part! Here's another idea! How about changing your port from 5060 to something different, maybe 7067 or some other number that is not popularly being used? You'll provision your phones to use this port, and the scanners will not find you. Seems a much simpler solution... but there are some drawbacks... can anyone think of them? And will these drawbacks matter to you? And, given this solution, will the odds that a scanner might find your machine be so low, that it is not worth using something like fail2ban to override them? Food for thought! murf -- Steve Murphy ParseTree Corporation 57 Lane 17 Cody, WY 82414 ? murf at parsetree dot com ? 307-899-5535 -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
Changing from 5060 is very effective. Sure, someone with the knowledge could try all the ports IF they know you are even running SIP, but it certainly will stop most of these idiots . That along with fail2ban, not using numbers for device user names all will help. Using IAX where possible also can be very effective John Novack Steve Murphy wrote: On Sat, Jan 18, 2014 at 3:59 PM, Steve Edwards asterisk@sedwards.com mailto:asterisk@sedwards.com wrote: On Sat, 18 Jan 2014, Jerry Geis wrote: I see MANY of these in my log files: [Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from '202 sip:202@X:5060' failed for '37.8.12.147:26832 http://37.8.12.147:26832' - Wrong password What is the correct way to block these idiots so they don't even get this far. Use iptables to allow packets from your legitimate users, block everybody else. If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic -- North Korea, China, xxxistan, etc. Drop these at the front door (90% of the problem) and use fail2ban to pick off the rest. I see a problem here; firstly that it is no longer so simple to determine the IP ranges of countries. Things have been fractured quite a bit; you might have to hire out a service to determine true geographic origination. Even then, if your service is a little behind, you might occasionally feel the displeasure of users unable to talk to your servers. How will you handle this, with a white-list? How much effort will you end up committing to keeping your whitelist up to date? Nextly, the well-financed operations running such probes need not use machines in their native countries. There are plenty of US-based machines that can be ( and are ) compromised. In other words, don't forget the fail2ban part! Here's another idea! How about changing your port from 5060 to something different, maybe 7067 or some other number that is not popularly being used? You'll provision your phones to use this port, and the scanners will not find you. Seems a much simpler solution... but there are some drawbacks... can anyone think of them? And will these drawbacks matter to you? And, given this solution, will the odds that a scanner might find your machine be so low, that it is not worth using something like fail2ban to override them? Food for thought! murf -- Steve Murphy ParseTree Corporation 57 Lane 17 Cody, WY 82414 ? murf at parsetree dot com ? 307-899-5535 -- Dog is my Co-pilot -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
On 19/1/14 2:57 pm, Ron Wheeler wrote: fail2ban is so easy to set up, there is no reason not to set it up. One of the dangers with fail2ban - at least in its default configuration - is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP. If your end users configure their own phones, you will have to factor in the increased support burden when users complain that their phones 'can't connect' and you need to manually unblock those IPs. This can be at least partially mitigated using fail2ban's 'ignoreip' directive for IPs you know only your users will be connecting from. If you've a large number of users, it might be worth splitting them across a pair of servers - one for 'trusted' users, i.e. where each SIP endpoint is locked down to a specific IP (or at least a range), and you can configure your firewall to block SIP connection attempts from anything apart from that list; and one for 'untrusted' users, i.e. travelling users, home workers without static IPs, etc. on which you run fail2ban with a fairly ruthless set of rules/limits. Unless you know that none of your users travel internationally, I'd be wary of imposing countrywide IP blocks, especially in this era of IP shortage where IP space is being traded on the open market and GeoIP databases may not always keep up to date. Kind regards, Chris -- This email is made from 100% recycled electrons -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
It is far worse when you have multiple phones behind the same public address (i.e. NAT).If any one of the phones has a bad password and the IP gets blocked by fail2ban, then all phones at that site would be blocked. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Chris Bagnall Sent: Sunday, January 19, 2014 10:40 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] stopping unwanted attempts On 19/1/14 2:57 pm, Ron Wheeler wrote: fail2ban is so easy to set up, there is no reason not to set it up. One of the dangers with fail2ban - at least in its default configuration - is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
Geoip works well to block all countries except your own Regards Andrew Colin-mobile Vsave(PTY)Ltd Original message From: Eric Wieling ewiel...@nyigc.com Date:19/01/2014 8:40 PM (GMT+02:00) To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] stopping unwanted attempts It is far worse when you have multiple phones behind the same public address (i.e. NAT). If any one of the phones has a bad password and the IP gets blocked by fail2ban, then all phones at that site would be blocked. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Chris Bagnall Sent: Sunday, January 19, 2014 10:40 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] stopping unwanted attempts On 19/1/14 2:57 pm, Ron Wheeler wrote: fail2ban is so easy to set up, there is no reason not to set it up. One of the dangers with fail2ban - at least in its default configuration - is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] stopping unwanted attempts
We don't do residential service and require the few off-net customers to have a static IP. This makes using whitelists practical.That won't work for most people though. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Andrew Colin Sent: Sunday, January 19, 2014 2:39 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] stopping unwanted attempts Geoip works well to block all countries except your own Regards Andrew Colin-mobile Vsave(PTY)Ltd Original message From: Eric Wieling Date:19/01/2014 8:40 PM (GMT+02:00) To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] stopping unwanted attempts It is far worse when you have multiple phones behind the same public address (i.e. NAT).If any one of the phones has a bad password and the IP gets blocked by fail2ban, then all phones at that site would be blocked. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Chris Bagnall Sent: Sunday, January 19, 2014 10:40 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] stopping unwanted attempts On 19/1/14 2:57 pm, Ron Wheeler wrote: fail2ban is so easy to set up, there is no reason not to set it up. One of the dangers with fail2ban - at least in its default configuration - is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 1.8 drop calls after 15 minutes
If it's a reinvite problem, check the domain in the request URI. Might be something it shouldn't be, eg something to do with the VPN. On 11 September 2013 05:28, isr...@gmail.com wrote: Some providers send a reinvite after 15 min and if asterisk doesn't respond will disconnect the call Maybe playaround with canreinvite --Original Message-- From: Jeremy Kister Sender: asterisk-users-boun...@lists.digium.com To: Asterisk Users Mailing List - Non-Commercial Discussion ReplyTo: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Asterisk 1.8 drop calls after 15 minutes Sent: Sep 10, 2013 10:23 PM On 9/10/2013 7:05 AM, Administrator TOOTAI wrote: I face the subject strange behavior: calls arre dropped after 15 minutes on an asterisk 1.8.15.0. Only phones (SNOM300) connected to the Asterisk Just for kicks, I would disable session-timers to see if the problem goes away. in the general section and/or each peer in sip.conf: session-timers=refuse -- Jeremy Kister http://jeremy.kister.net./ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- David Cunningham, Voisonics http://voisonics.com/ USA: +1 213 221 1092 UK: +44 (0) 20 3298 1642 Australia: +61 (0) 2 8063 9019 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Asterisk not receiving call from VPN address
Hi, We have a Kamailio and Asterisk cluster, both machines being on a real 103.x IP address and also on a 172.x OpenVPN address. The problem is that when Kamailo receives a call from the VPN and forwards it to the Asterisk server on it's 103.x address, Asterisk never sees the call. If Kamailio receives a call from the VPN and forwards the call to the Asterisk server on it's 172.x address then it works. However, if the call isn't from the VPN then forwarding it to the 172.x address doesn't work. So basically the problem is going between the real network and the VPN. The question is, how can we make this work when calls are received on either network on the Kamailio server and are forwarded to Asterisk? Using ngrep on the Asterisk server we see that it does receive the INVITE, but Asterisk's logging shows no sign it at all. We guess it's a Linux networking issue rather than Asterisk's fault, but don't know where to fix it. We do have net.ipv4.ip_forward = 1 on both the Kamailio and Asterisk servers. Thanks in advance for any help. The ngrep on the Asterisk server: U 2014/01/17 13:15:15.599557 172.x.x.x:5060 - 103.y.y.y:5060 INVITE sip:9067268@103.y.y.y:5060;transport=udp SIP/2.0. Record-Route: sip:172.x.x.x;lr=on. Via: SIP/2.0/UDP 172.x.x.x;branch=z9hG4bK50c7.f49ceb73.0. Via: SIP/2.0/UDP 192.z.z.z:5062;rport=5062;branch=z9hG4bK806710997. From: 9067271 sip:9067271@172.x.x.x;tag=198791249. To: sip:9067268@172.x.x.x. Call-ID: 1905625787@192.z.z.z. ... 172.x.x.x is the Kamailio server's VPN address 103.y.y.y is the Asterisk server's real address 192.z.z.z is the calling phone's LAN address -- David Cunningham, Voisonics http://voisonics.com/ USA: +1 213 221 1092 UK: +44 (0) 20 3298 1642 Australia: +61 (0) 2 8063 9019 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users