[asterisk-users] Interesting new hack attack
In the past little while, we've seen a wave of attacks on asterisk, via the provisioning. It goes something like this: A. scan for IP phones on the internet, either via spotting something on port 5060, or via the port 80 web interface for the phone. Or, use web sites that scan the internet, and classify the machines, to make your work shorter. B. Once you get into the web GUI, get the URL for provisioning. I haven't checked yet... do any phones actually allow you to set this, or do any display the current value? And, finally, how many phones publish their own MAC address in the GUI? Or, can you suck this out of the returned IP packets? C. Given the URL and the mac, fetch the phones provisioning info, including it's sip account info. Use to best advantage. D. Going further, set up a brute-force probe algorithm, to probe all possible mac addresses for a given phone manufacturer, via http requests. After all, those provisioning web servers are fast and efficient, aren't they? Collect all possible mac addresses and grab the provisioning, and now you have a LOT of sip accounts. Use to best advantage. And, professional hacking organizations seem to also follow these rules: a. wait several months for any history of the above activities to roll off the log files. Treat your phone systems like fine wine vintage. b. Use multiple (hundreds/thousands) of machines scattered over the earth to carry out the above probes, and also to use the accounts for generating international calls. In general, using the SIP account info gleaned from these kinds of efforts is a bit problematic. You see, to effectively use your phone system to place calls, they will have to set up their own phone system to act like a phone, and register to the phone system, and then initiate calls. Trouble is, your phone is usually already registered, but can be bumped off. Your phone will re-register at intervals and bump the hackers, who will again register and bump your phone. This little game of king of the hill may show up in your Asterisk logs. So, these defenses can be employed to stop/ameliorate such hacking efforts: 1. Keep your phones behind a firewall. Travellers, beware! Never leave the default login info of the phone at default! 2. Never use the default provisioning URL for the phone, with it's default URL or password. 3. Use fail2ban, ossec, whatever to stymie any brute force mac address searches. 4. Use your firewalls to restrict IP's that can access web, ftp, etc, for provisioning to just those IP's needed to allow your phones to provision. 5. Keep your logs for a couple years. 6. Change your phone SIP acct passwords now, if you haven't implemented the above precautions yet. If I missed a previous post on this, forgive me. Just thought you-all might appreciate a heads-up. murf -- Steve Murphy ParseTree Corporation 57 Lane 17 Cody, WY 82414 ✉ murf at parsetree dot com ☎ 307-899-5535 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Interesting new hack attack
On 5/22/2014 12:41 PM, Steve Murphy wrote: So, these defenses can be employed to stop/ameliorate such hacking efforts: 1. Keep your phones behind a firewall. Travellers, beware! Never leave the default login info of the phone at default! 2. Never use the default provisioning URL for the phone, with it's default URL or password. 3. Use fail2ban, ossec, whatever to stymie any brute force mac address searches. 4. Use your firewalls to restrict IP's that can access web, ftp, etc, for provisioning to just those IP's needed to allow your phones to provision. 5. Keep your logs for a couple years. 6. Change your phone SIP acct passwords now, if you haven't implemented the above precautions yet. If I missed a previous post on this, forgive me. Just thought you-all might appreciate a heads-up. Encrypt your provisioning system if the phone supports it. I had a cable/voip service provider who HTTPS provisioned by MAC without encryption and the provisioning URL was stored, unlocked, in the ATA. Had I been slightly more nefarious, I could have walked the the provisioning tree nice and slow and easily grabbed everyone's SIP credentials in the clear. No hacking or cracking was involved. The ATA doubled as the NAT router they handed out and gave the admin password out freely. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Mon, 2011-12-05 at 18:51 -0800, Steve Edwards wrote: snip Your security needs depends on your environment. At this point in time, all of the hosts I manage for my clients exist in very limited environments and have very small attack surfaces. They are racked in secure data centers. They only accept SIP from clients with static IP addresses that we have an existing business relationship with. They only accept SSH connections from me. They only accept HTTP connections from me and my boss. That's about it. I don't see where F2B adds much value for me. *) Lots of admins think they can't limit access to servers because they have 'mobile' users. Your users probably don't need to access your servers from every single place on the Internet. If your users don't come from China, North Korea, Iran, etc, you can block entire regions with a few rules and eliminate 80% of probes and attacks from reaching your servers in the first place. Apologies in advance if you happen to live in some of these regions -- feel free to `s/China, North Korea, Iran/United States, Canada, England/g` Perhaps an other suggestion. If they are true road warriors, i presume they are capable of setting up an vpn to the company. In that case, only allow registrations/calls through the secured tunnel. Then it's not any concern to asterisk. And if they can breach your tunnel, you have something else to worry about. hw -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Tue, Dec 6, 2011 at 5:19 AM, Hans Witvliet aster...@a-domani.nl wrote: On Mon, 2011-12-05 at 18:51 -0800, Steve Edwards wrote: snip Your security needs depends on your environment. At this point in time, all of the hosts I manage for my clients exist in very limited environments and have very small attack surfaces. They are racked in secure data centers. They only accept SIP from clients with static IP addresses that we have an existing business relationship with. They only accept SSH connections from me. They only accept HTTP connections from me and my boss. That's about it. I don't see where F2B adds much value for me. *) Lots of admins think they can't limit access to servers because they have 'mobile' users. Your users probably don't need to access your servers from every single place on the Internet. If your users don't come from China, North Korea, Iran, etc, you can block entire regions with a few rules and eliminate 80% of probes and attacks from reaching your servers in the first place. Apologies in advance if you happen to live in some of these regions -- feel free to `s/China, North Korea, Iran/United States, Canada, England/g` Perhaps an other suggestion. If they are true road warriors, i presume they are capable of setting up an vpn to the company. In that case, only allow registrations/calls through the secured tunnel. Then it's not any concern to asterisk. And if they can breach your tunnel, you have something else to worry about. Well, that means opening up VPN connections from everywhere. Thats why I suggested turning off the server completely. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
Well, that means opening up VPN connections from everywhere. Thats why I suggested turning off the server completely. hmmm - I thought that was the point of a vpn -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Fri, Dec 2, 2011 at 11:35 AM, Jim Lucas li...@cmsws.com wrote: On 11/26/2011 5:00 PM, C F wrote: On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson gordon+aster...@drogon.net wrote: On Sat, 26 Nov 2011, Terry Brummell wrote: Install Configure Fail2Ban then the host will be blocked from connecting. And no, it's not new. I don't need Fail2Ban, thank you. But your advice might be useful to others. Why is that? Even if they don't compromise an account they are still using your bandwidth and resources on your machine. How is using Fail2Ban less resource intensive then me writing (by hand) iptable rules? Sorry I wasnt very clear in my first writing, I'll try to clarify. Using iptables only detects one type of attack (aggressive connections). While his machines might be secure enough to allow any other attacks and still not compromise his machine, iptables will still allow them thru and therefore the attack will be using his bandwidth/resources, with f2b one can add as many rules as/when they arrive. Also, since both methods involve the use of iptables, where exactly is the bandwidth savings? In detection. -- Jim Lucas -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
(This horse just won't stay dead...) My apologies if I mis-attribute who wrote what. On Fri, Dec 2, 2011 at 11:35 AM, Jim Lucas li...@cmsws.com wrote: How is using Fail2Ban less resource intensive then me writing (by hand) iptable rules? On Mon, 5 Dec 2011, C F wrote: Sorry I wasnt very clear in my first writing, I'll try to clarify. Using iptables only detects one type of attack (aggressive connections). While his machines might be secure enough to allow any other attacks and still not compromise his machine, iptables will still allow them thru and therefore the attack will be using his bandwidth/resources, with f2b one can add as many rules as/when they arrive. I think you are over-generalizing. You can write iptables rules to detect and respond to many types of attacks. Since F2B is just an automated front end to iptables you can have as many rules as you need with or without F2B. Also, since packets are 'stopped' at the same place (iptables) any bandwidth savings would only be to services that you are running that either aren't or can't* be nailed down. Also, since both methods involve the use of iptables, where exactly is the bandwidth savings? In detection. How about 'in responding to an attack your iptables rules don't already mitigate and you do have F2B rules defined for?' 'Detecting' an attack means close to nothing if you don't respond to it :) I'm not hating on F2B, it's just not a silver bullet nor is it appropriate for all environments. Your security needs depends on your environment. At this point in time, all of the hosts I manage for my clients exist in very limited environments and have very small attack surfaces. They are racked in secure data centers. They only accept SIP from clients with static IP addresses that we have an existing business relationship with. They only accept SSH connections from me. They only accept HTTP connections from me and my boss. That's about it. I don't see where F2B adds much value for me. *) Lots of admins think they can't limit access to servers because they have 'mobile' users. Your users probably don't need to access your servers from every single place on the Internet. If your users don't come from China, North Korea, Iran, etc, you can block entire regions with a few rules and eliminate 80% of probes and attacks from reaching your servers in the first place. Apologies in advance if you happen to live in some of these regions -- feel free to `s/China, North Korea, Iran/United States, Canada, England/g` -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Mon, Dec 5, 2011 at 9:51 PM, Steve Edwards asterisk@sedwards.com wrote: (This horse just won't stay dead...) My apologies if I mis-attribute who wrote what. On Fri, Dec 2, 2011 at 11:35 AM, Jim Lucas li...@cmsws.com wrote: How is using Fail2Ban less resource intensive then me writing (by hand) iptable rules? On Mon, 5 Dec 2011, C F wrote: Sorry I wasnt very clear in my first writing, I'll try to clarify. Using iptables only detects one type of attack (aggressive connections). While his machines might be secure enough to allow any other attacks and still not compromise his machine, iptables will still allow them thru and therefore the attack will be using his bandwidth/resources, with f2b one can add as many rules as/when they arrive. I think you are over-generalizing. You can write iptables rules to detect and respond to many types of attacks. Possible. But working off the logs makes lots more sense for creating more accurate to the point rules, and to mention on the fly. Since F2B is just an automated front end to iptables you can have as many rules as you need with or without F2B. Also, since packets are 'stopped' at the same place (iptables) any bandwidth savings would only be to services that you are running that either aren't or can't* be nailed down. You didn't get my point. If someone is trying to exploit some type of dialplan hack in slow motion. iptables will probably not detect it and your machine is secure enough that the exploit doesn't work, but the script kiddie behind the attack doesn't know that and keeps trying. Your wasting resources and bandwidth. With f2b you can have him added to iptables after the first try. Once all packets are dropped from that IP, while the attacker is still using resources/bandwidth while trying after a while they will stop as all packets are dropped. The reason they are trying is because it wasn't blocked but now that it is they will stop. Also, since both methods involve the use of iptables, where exactly is the bandwidth savings? In detection. How about 'in responding to an attack your iptables rules don't already mitigate and you do have F2B rules defined for?' 'Detecting' an attack means close to nothing if you don't respond to it :) I think you are just explaining my point. Correct me if I'm wrong. I'm not hating on F2B, it's just not a silver bullet nor is it appropriate for all environments. Agreed, like another poster said, its the easy way out since it's an easy front end. The only reason for this thread is because someone mentioned he doesn't *need* it. Your security needs depends on your environment. At this point in time, all of the hosts I manage for my clients exist in very limited environments and have very small attack surfaces. They are racked in secure data centers. Speaking of which, how secure? I have biometrics access to about a dozen such centers. Once inside the center how hard is it really to do what you want? They only accept SIP from clients with static IP addresses that we have an existing business relationship with. They only accept SSH connections from me. They only accept HTTP connections from me and my boss. That's about it. I don't see where F2B adds much value for me. Well others keep their servers shut. While I'm sarcastic, I'm also trying to say its way to overdone. A good IDS/IPS will do, there is really no reason to this. Except in environments that require it, in my opinion national infrastructure etc. *) Lots of admins think they can't limit access to servers because they have 'mobile' users. Your users probably don't need to access your servers from every single place on the Internet. If your users don't come from China, North Korea, Iran, etc, you can block entire regions with a few rules and eliminate 80% of probes and attacks from reaching your servers in the first place. Apologies in advance if you happen to live in some of these regions -- feel free to `s/China, North Korea, Iran/United States, Canada, England/g` -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE
Re: [asterisk-users] A new hack?
On 11/26/2011 5:00 PM, C F wrote: On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson gordon+aster...@drogon.net wrote: On Sat, 26 Nov 2011, Terry Brummell wrote: Install Configure Fail2Ban then the host will be blocked from connecting. And no, it's not new. I don't need Fail2Ban, thank you. But your advice might be useful to others. Why is that? Even if they don't compromise an account they are still using your bandwidth and resources on your machine. How is using Fail2Ban less resource intensive then me writing (by hand) iptable rules? Also, since both methods involve the use of iptables, where exactly is the bandwidth savings? -- Jim Lucas -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
Fail2ban assumes that #1 your environment is (wide) open and #2 you will need to update iptables on an instant response to attack basis. If you are open enough, even fail2ban isn't going to really help. If you have a sufficiently written set of iptables rules (or you aren't allowing external SIP/TCP/UDP traffic) you shouldn't (just my opinion) need fail2ban at all. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Jim Lucas Sent: Friday, December 02, 2011 10:35 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] A new hack? On 11/26/2011 5:00 PM, C F wrote: On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson gordon+aster...@drogon.net wrote: On Sat, 26 Nov 2011, Terry Brummell wrote: Install Configure Fail2Ban then the host will be blocked from connecting. And no, it's not new. I don't need Fail2Ban, thank you. But your advice might be useful to others. Why is that? Even if they don't compromise an account they are still using your bandwidth and resources on your machine. How is using Fail2Ban less resource intensive then me writing (by hand) iptable rules? Also, since both methods involve the use of iptables, where exactly is the bandwidth savings? -- Jim Lucas -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Fri, 2 Dec 2011, Jim Lucas wrote: How is using Fail2Ban less resource intensive then me writing (by hand) iptable rules? It depends on how you define resources and how much of those resources you have. Gordon (based on my understanding of his posts) does a lot of Asterisk systems on very limited hardware hosts. His approach uses iptables features to limit the number of SIP INVITES and REGISTERS per second per IP address. Thus, Gordon's approach is more responsive (since it doesn't require periodic log file scanning) and requires less hardware resources (since it doesn't depend on running relatively 'slothish' resource intensive script interpreters like Perl or PHP periodically). If you have limited admin skills and more hardware resources, F2B makes sense. If you have more admin skills and limited hardware resources, Gordon's approach makes more sense. Personally, I find any approach that tracks log files 'hackish' but if you centralize your logging (which I always do) it does allow you to detect patterns of abuse across multiple hosts. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On 12/2/2011 12:44 PM, Steve Edwards wrote: On Fri, 2 Dec 2011, Jim Lucas wrote: How is using Fail2Ban less resource intensive then me writing (by hand) iptable rules? It depends on how you define resources and how much of those resources you have. Gordon (based on my understanding of his posts) does a lot of Asterisk systems on very limited hardware hosts. His approach uses iptables features to limit the number of SIP INVITES and REGISTERS per second per IP address. Thus, Gordon's approach is more responsive (since it doesn't require periodic log file scanning) and requires less hardware resources (since it doesn't depend on running relatively 'slothish' resource intensive script interpreters like Perl or PHP periodically). If you have limited admin skills and more hardware resources, F2B makes sense. If you have more admin skills and limited hardware resources, Gordon's approach makes more sense. Personally, I find any approach that tracks log files 'hackish' but if you centralize your logging (which I always do) it does allow you to detect patterns of abuse across multiple hosts. Now this, I would say was very well put. As always, just my opinion. JohnM -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Fri, Dec 2, 2011 at 12:44 PM, Steve Edwards asterisk@sedwards.com wrote: Gordon (based on my understanding of his posts) does a lot of Asterisk systems on very limited hardware hosts. His approach uses iptables features to limit the number of SIP INVITES and REGISTERS per second per IP address. A very narrow solution to a fairly narrow attack surface and surely isn't applicable to any medium to large scale solutions. Thus, Gordon's approach is more responsive (since it doesn't require periodic log file scanning) and requires less hardware resources (since it doesn't depend on running relatively 'slothish' resource intensive script interpreters like Perl or PHP periodically). So Fail2Ban is inefficient on how it reads log files? If so, that could be an informed criticism of Fail2Ban. Personally, I find any approach that tracks log files 'hackish' but if you centralize your logging (which I always do) it does allow you to detect patterns of abuse across multiple hosts. Others would say that not using IPS/IDS/adaptive sec appliances is hackish but I'm not one of those. There are very efficient ways to read log files even with Perl on hardware no bigger than my Dockstar when coded properly, so reading log files isn't hackish. Looking at advanced threats that are encrypted or otherwise located within legitimately large streams of UDP and TCP traffic are not going to lend themselves to some simpleton IP/port/rate iptables rule or even more complex iptables view into the data. The application log might be the ONLY place to correlate events. Good luck doing that with iptables alone. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Tue, 29 Nov 2011, C F wrote: On Mon, Nov 28, 2011 at 10:57 AM, Tom Browning ttbrown...@gmail.com wrote: On Sun, Nov 27, 2011 at 8:47 AM, Gordon Henderson gordon+aster...@drogon.net wrote: Linux has excellent built-in subsystems to control firewalling and so on without resorting to external programs. It's called iptables. If you know how to use them, then using an external resource such as fail2ban is unneccessary. That's like saying you don't need FreePBX because you have this thing called Asterisk. Very well put. Indeed. I don't need (nor use) FreePBX. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Wed, 30 Nov 2011, Tom Browning wrote: On Tue, Nov 29, 2011 at 4:44 PM, john Millican j...@millican.us wrote: Maybe I am misunderstanding the gist of the comment OP offered an invalid comparison of how iptables is better than Fail2Ban. Whether or not OP knew that Fail2Ban simply feeds rules to iptables is unclear from his comments. Yes, I know exactly how Fail2Ban works. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Wed, 30 Nov 2011, jon pounder wrote: On 11/30/2011 09:01 AM, Tom Browning wrote: I agree - its a bad comparison of 2 different things meant for different purposes. iptables is enforcement, fail2ban is detection. iptables can also detect and log these detections. if you have time to sit and make up iptables rules by hand during every hack attempt I don't. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Tue, 29 Nov 2011, C F wrote: BTW, you were just proven wrong, you need it for this hack. In addition to the few hundred protected asterisk installations I run, I also run a few honeypots. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Thu, Dec 1, 2011 at 8:13 AM, Gordon Henderson gordon+aster...@drogon.net wrote: Yes, I know exactly how Fail2Ban works. Then you should be able to proffer a better argument of why it isn't necessary. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Thu, Dec 1, 2011 at 8:15 AM, Gordon Henderson gordon+aster...@drogon.net wrote: On Tue, 29 Nov 2011, C F wrote: BTW, you were just proven wrong, you need it for this hack. In addition to the few hundred protected asterisk installations I run, I also run a few honeypots. Protected? You don't know that until the next hack comes out. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Tue, Nov 29, 2011 at 4:44 PM, john Millican j...@millican.us wrote: Maybe I am misunderstanding the gist of the comment OP offered an invalid comparison of how iptables is better than Fail2Ban. Whether or not OP knew that Fail2Ban simply feeds rules to iptables is unclear from his comments. Log scraping is a time honored and effective method to correlate bad behavior. Log scraping can see things that no iptables rule would ever find. Think SSL. If Fail2Ban is a bad log scraper framework, then criticize it with a clear understanding of its role. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On 11/30/2011 09:01 AM, Tom Browning wrote: I agree - its a bad comparison of 2 different things meant for different purposes. iptables is enforcement, fail2ban is detection. if you have time to sit and make up iptables rules by hand during every hack attempt 1) you have too much time on your hands 2) you have too much time on your hands On Tue, Nov 29, 2011 at 4:44 PM, john Millicanj...@millican.us wrote: Maybe I am misunderstanding the gist of the comment OP offered an invalid comparison of how iptables is better than Fail2Ban. Whether or not OP knew that Fail2Ban simply feeds rules to iptables is unclear from his comments. Log scraping is a time honored and effective method to correlate bad behavior. Log scraping can see things that no iptables rule would ever find. Think SSL. If Fail2Ban is a bad log scraper framework, then criticize it with a clear understanding of its role. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Sun, Nov 27, 2011 at 8:47 AM, Gordon Henderson gordon+aster...@drogon.net wrote: On Sat, 26 Nov 2011, C F wrote: On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson gordon+aster...@drogon.net wrote: On Sat, 26 Nov 2011, Terry Brummell wrote: Install Configure Fail2Ban then the host will be blocked from connecting. And no, it's not new. I don't need Fail2Ban, thank you. But your advice might be useful to others. Why is that? Even if they don't compromise an account they are still using your bandwidth and resources on your machine. Linux has excellent built-in subsystems to control firewalling and so on without resorting to external programs. It's called iptables. If you know how to use them, then using an external resource such as fail2ban is unneccessary. So its not that you don't need it, but you use something else. BTW, you were just proven wrong, you need it for this hack. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Mon, Nov 28, 2011 at 10:57 AM, Tom Browning ttbrown...@gmail.com wrote: On Sun, Nov 27, 2011 at 8:47 AM, Gordon Henderson gordon+aster...@drogon.net wrote: Linux has excellent built-in subsystems to control firewalling and so on without resorting to external programs. It's called iptables. If you know how to use them, then using an external resource such as fail2ban is unneccessary. That's like saying you don't need FreePBX because you have this thing called Asterisk. Very well put. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On 11/29/2011 12:48 PM, C F wrote: On Mon, Nov 28, 2011 at 10:57 AM, Tom Browningttbrown...@gmail.com wrote: On Sun, Nov 27, 2011 at 8:47 AM, Gordon Henderson gordon+aster...@drogon.net wrote: Linux has excellent built-in subsystems to control firewalling and so on without resorting to external programs. It's called iptables. If you know how to use them, then using an external resource such as fail2ban is unneccessary. That's like saying you don't need FreePBX because you have this thing called Asterisk. Very well put. -- This may well turn out to just be troll fodder but I can not resist. I disagree with the above being very well put, personally I think it is the opposite of well put. Maybe I am misunderstanding the gist of the comment but, I do not NEED FreePBX, I have Asterisk makes perfect sense to me. I have been using asterisk for a few years now and have not yet found anything that I need to do with Asterisk that I must have FreePBX to accomplish. Could I do the same things with FreePBX on top of Asterisk, maybe. I am not an expert in iptables but I have been semi successful in adapting what others have done to fit my needs. I have found this to work better FOR ME than Fail2ban. I have used and will continue to use Fail2ban for other purposes because I am not an iptables expert. In my opinion one should find the tools that work best for you in your situation and use them. You may well change your mind in the future but that is the beauty of this industry, it changes all the time, what I feel works best today may well not be what I think works best tomorrow as new tools are developed and proven and also as I become more experianced with the old tried and true tools. As usual, just my 2 cents (US currency, exchange rates not compensated for) JohnM -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Sun, Nov 27, 2011 at 8:47 AM, Gordon Henderson gordon+aster...@drogon.net wrote: Linux has excellent built-in subsystems to control firewalling and so on without resorting to external programs. It's called iptables. If you know how to use them, then using an external resource such as fail2ban is unneccessary. That's like saying you don't need FreePBX because you have this thing called Asterisk. Though I've never used Fail2Ban, it is an excellent example of middleware that looks at application level events and feeds updates to iptables. So the important blocking is happening in kernel mode, not userland. Your example: For example, with iptables rules you can say something like: If a connection from a remote site to a local port happens more than (say) once a second then drop that connection. doesn't always work well for some applications. Ever look at WebDAV traffic? Code me an iptables rule that figures out someone is doing bad things via WebDAV :-) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Sat, 26 Nov 2011, C F wrote: On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson gordon+aster...@drogon.net wrote: On Sat, 26 Nov 2011, Terry Brummell wrote: Install Configure Fail2Ban then the host will be blocked from connecting. And no, it's not new. I don't need Fail2Ban, thank you. But your advice might be useful to others. Why is that? Even if they don't compromise an account they are still using your bandwidth and resources on your machine. Linux has excellent built-in subsystems to control firewalling and so on without resorting to external programs. It's called iptables. If you know how to use them, then using an external resource such as fail2ban is unneccessary. For example, with iptables rules you can say something like: If a connection from a remote site to a local port happens more than (say) once a second then drop that connection. And that happens right at the kernel level without the need to run any userland software, write config files, monitor log files and so on. I've posted about it in the past - search the archives if you want to know more. Gordon-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] A new hack?
Or just an old one that I've not noticed before... Seeing lines like this in the logs: [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=E2lb2p9BOJ [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=XMDRarBM2w [Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=AaTE0L0oRj [Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=igsN240Wr5 [Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=E8Nkbs0Aye [Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=LEvpc7tK6B [Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=WrIoZ92YPz [Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=kuGTjXr7Pd [Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=ygQBLSjH1m etc. The IP address is presumably the IP address of some compromised host (in Germany in this case, but I've noticed others around the globe so the software doing it would appear to be widespread) - it's not a host that should be connecting in. I supect that some SIP PBX somewhare is vulnerable to having an account called VOIP, so this remote attack is trying to compromise that account. At least it's only once every 2 seconds, so in that respect no worse than the multitude of pop/smtp/imap/ssh type attacks that hackers try... I've seen it on several servers now, always for account VOIP. I'm presuming the fake rejection is the side-effect of using alwaysauthreject in sip.conf. (if-so, then it's doing the right thing) But something to look out for just in-case.. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
Install Configure Fail2Ban then the host will be blocked from connecting. And no, it's not new. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gordon Henderson Sent: Saturday, November 26, 2011 6:55 AM To: Asterisk Users Mailing List Discussion Subject: [asterisk-users] A new hack? Or just an old one that I've not noticed before... Seeing lines like this in the logs: [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=E2lb2p9BOJ [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=XMDRarBM2w [Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=AaTE0L0oRj [Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=igsN240Wr5 [Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=E8Nkbs0Aye [Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=LEvpc7tK6B [Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=WrIoZ92YPz [Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=kuGTjXr7Pd [Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=ygQBLSjH1m etc. The IP address is presumably the IP address of some compromised host (in Germany in this case, but I've noticed others around the globe so the software doing it would appear to be widespread) - it's not a host that should be connecting in. I supect that some SIP PBX somewhare is vulnerable to having an account called VOIP, so this remote attack is trying to compromise that account. At least it's only once every 2 seconds, so in that respect no worse than the multitude of pop/smtp/imap/ssh type attacks that hackers try... I've seen it on several servers now, always for account VOIP. I'm presuming the fake rejection is the side-effect of using alwaysauthreject in sip.conf. (if-so, then it's doing the right thing) But something to look out for just in-case.. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Sat, 26 Nov 2011, Terry Brummell wrote: Install Configure Fail2Ban then the host will be blocked from connecting. And no, it's not new. I don't need Fail2Ban, thank you. But your advice might be useful to others. Gordon -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gordon Henderson Sent: Saturday, November 26, 2011 6:55 AM To: Asterisk Users Mailing List Discussion Subject: [asterisk-users] A new hack? Or just an old one that I've not noticed before... Seeing lines like this in the logs: [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=E2lb2p9BOJ [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=XMDRarBM2w [Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=AaTE0L0oRj [Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=igsN240Wr5 [Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=E8Nkbs0Aye [Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=LEvpc7tK6B [Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=WrIoZ92YPz [Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=kuGTjXr7Pd [Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP sip:VOIP@85.25.145.176;tag=ygQBLSjH1m etc. The IP address is presumably the IP address of some compromised host (in Germany in this case, but I've noticed others around the globe so the software doing it would appear to be widespread) - it's not a host that should be connecting in. I supect that some SIP PBX somewhare is vulnerable to having an account called VOIP, so this remote attack is trying to compromise that account. At least it's only once every 2 seconds, so in that respect no worse than the multitude of pop/smtp/imap/ssh type attacks that hackers try... I've seen it on several servers now, always for account VOIP. I'm presuming the fake rejection is the side-effect of using alwaysauthreject in sip.conf. (if-so, then it's doing the right thing) But something to look out for just in-case.. Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] A new hack?
On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson gordon+aster...@drogon.net wrote: On Sat, 26 Nov 2011, Terry Brummell wrote: Install Configure Fail2Ban then the host will be blocked from connecting. And no, it's not new. I don't need Fail2Ban, thank you. But your advice might be useful to others. Why is that? Even if they don't compromise an account they are still using your bandwidth and resources on your machine. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users