[asterisk-users] Interesting new hack attack

2014-05-22 Thread Steve Murphy
In the past little while, we've seen
a wave of attacks on asterisk, via the
provisioning.

It goes something like this:

A. scan for IP phones on the internet,
   either via spotting something on port 5060,
   or via the port 80 web interface for the phone.
   Or, use web sites that scan the internet, and
   classify the machines, to make your work shorter.
B. Once you get into the web GUI, get the URL for provisioning.
   I haven't checked yet... do any phones actually
   allow you to set this, or do any display the
   current value?
   And, finally, how many phones publish their
   own MAC address in the GUI? Or, can you suck this
   out of the returned IP packets?
C. Given the URL and the mac, fetch the phones
   provisioning info, including it's sip account
   info. Use to best advantage.
D. Going further, set up a brute-force probe algorithm,
   to probe all possible mac addresses for a given
   phone manufacturer, via http requests. After all,
   those provisioning web servers are fast and efficient,
   aren't they? Collect all possible mac addresses and
   grab the provisioning, and now you have a LOT of sip
   accounts. Use to best advantage.

And, professional hacking organizations seem to also follow
these rules:

a. wait several months for any history of the above activities
   to roll off the log files. Treat your phone systems like
   fine wine vintage.
b. Use multiple (hundreds/thousands) of machines scattered
   over the earth to carry out the above probes, and also to
   use the accounts for generating international calls.

In general, using the SIP account info gleaned from these
kinds of efforts is a bit problematic. You see, to effectively
use your phone system to place calls, they will have to
set up their own phone system to act like a phone, and
register to the phone system, and then initiate calls.
Trouble is, your phone is usually already registered, but
can be bumped off. Your phone will re-register at intervals
and bump the hackers, who will again register and bump your
phone. This little game of king of the hill may show up in
your Asterisk logs.

So, these defenses can be employed to stop/ameliorate such
hacking efforts:

1. Keep your phones behind a firewall. Travellers, beware!
   Never leave the default login info of the phone at default!
2. Never use the default provisioning URL for the phone,
   with it's default URL or password.
3. Use fail2ban, ossec, whatever to stymie any brute force
   mac address searches.
4. Use your firewalls to restrict IP's that can access web,
   ftp, etc, for provisioning to just those IP's needed to allow
   your phones to provision.
5. Keep your logs for a couple years.
6. Change your phone SIP acct passwords now, if you haven't
   implemented the above precautions yet.


If I missed a previous post on this, forgive me.
Just thought you-all might appreciate a heads-up.

murf






-- 

Steve Murphy
ParseTree Corporation
57 Lane 17
Cody, WY 82414
✉  murf at parsetree dot com
☎ 307-899-5535
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Interesting new hack attack

2014-05-22 Thread James Sharp

On 5/22/2014 12:41 PM, Steve Murphy wrote:


So, these defenses can be employed to stop/ameliorate such
hacking efforts:

1. Keep your phones behind a firewall. Travellers, beware!
Never leave the default login info of the phone at default!
2. Never use the default provisioning URL for the phone,
with it's default URL or password.
3. Use fail2ban, ossec, whatever to stymie any brute force
mac address searches.
4. Use your firewalls to restrict IP's that can access web,
ftp, etc, for provisioning to just those IP's needed to allow
your phones to provision.
5. Keep your logs for a couple years.
6. Change your phone SIP acct passwords now, if you haven't
implemented the above precautions yet.


If I missed a previous post on this, forgive me.
Just thought you-all might appreciate a heads-up.


Encrypt your provisioning system if the phone supports it.  I had a 
cable/voip service provider who HTTPS provisioned by MAC without 
encryption and the provisioning URL was stored, unlocked, in the ATA. 
Had I been slightly more nefarious, I could have walked the the 
provisioning tree nice and slow and easily grabbed everyone's SIP 
credentials in the clear.


No hacking or cracking was involved.  The ATA doubled as the NAT router 
they handed out and gave the admin password out freely.


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-06 Thread Hans Witvliet
On Mon, 2011-12-05 at 18:51 -0800, Steve Edwards wrote:
snip

 Your security needs depends on your environment. At this point in time, 
 all of the hosts I manage for my clients exist in very limited 
 environments and have very small attack surfaces. They are racked in 
 secure data centers. They only accept SIP from clients with static IP 
 addresses that we have an existing business relationship with. They only 
 accept SSH connections from me. They only accept HTTP connections from me 
 and my boss. That's about it. I don't see where F2B adds much value for 
 me.
 
 *) Lots of admins think they can't limit access to servers because they 
 have 'mobile' users. Your users probably don't need to access your servers 
 from every single place on the Internet. If your users don't come from 
 China, North Korea, Iran, etc, you can block entire regions with a few 
 rules and eliminate 80% of probes and attacks from reaching your servers 
 in the first place. Apologies in advance if you happen to live in some of 
 these regions -- feel free to `s/China, North Korea, Iran/United States, 
 Canada, England/g`
 

Perhaps an other suggestion.
If they are true road warriors, i presume they are capable of setting
up an vpn to the company.
In that case, only allow  registrations/calls through the secured
tunnel. Then it's not any concern to asterisk.

And if they can breach your tunnel, you have something else to worry
about.


hw

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-06 Thread C F
On Tue, Dec 6, 2011 at 5:19 AM, Hans Witvliet aster...@a-domani.nl wrote:
 On Mon, 2011-12-05 at 18:51 -0800, Steve Edwards wrote:
 snip

 Your security needs depends on your environment. At this point in time,
 all of the hosts I manage for my clients exist in very limited
 environments and have very small attack surfaces. They are racked in
 secure data centers. They only accept SIP from clients with static IP
 addresses that we have an existing business relationship with. They only
 accept SSH connections from me. They only accept HTTP connections from me
 and my boss. That's about it. I don't see where F2B adds much value for
 me.

 *) Lots of admins think they can't limit access to servers because they
 have 'mobile' users. Your users probably don't need to access your servers
 from every single place on the Internet. If your users don't come from
 China, North Korea, Iran, etc, you can block entire regions with a few
 rules and eliminate 80% of probes and attacks from reaching your servers
 in the first place. Apologies in advance if you happen to live in some of
 these regions -- feel free to `s/China, North Korea, Iran/United States,
 Canada, England/g`


 Perhaps an other suggestion.
 If they are true road warriors, i presume they are capable of setting
 up an vpn to the company.
 In that case, only allow  registrations/calls through the secured
 tunnel. Then it's not any concern to asterisk.

 And if they can breach your tunnel, you have something else to worry
 about.

Well, that means opening up VPN connections from everywhere. Thats why
I suggested turning off the server completely.

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-06 Thread jon pounder



Well, that means opening up VPN connections from everywhere. Thats why
I suggested turning off the server completely.


hmmm - I thought that was  the point of a vpn




--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-05 Thread C F
On Fri, Dec 2, 2011 at 11:35 AM, Jim Lucas li...@cmsws.com wrote:
 On 11/26/2011 5:00 PM, C F wrote:
 On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson
 gordon+aster...@drogon.net wrote:
 On Sat, 26 Nov 2011, Terry Brummell wrote:

 Install  Configure Fail2Ban then the host will be blocked from
 connecting.  And no, it's not new.

 I don't need Fail2Ban, thank you. But your advice might be useful to others.

 Why is that?
 Even if they don't compromise an account they are still using your
 bandwidth and resources on your machine.


 How is using Fail2Ban less resource intensive then me writing (by hand) 
 iptable
 rules?

Sorry I wasnt very clear in my first writing, I'll try to clarify.
Using iptables only detects one type of attack (aggressive
connections). While his machines might be secure enough to allow any
other attacks and still not compromise his machine, iptables will
still allow them thru and therefore the attack will be using his
bandwidth/resources, with f2b one can add as many rules as/when they
arrive.


 Also, since both methods involve the use of iptables, where exactly is the
 bandwidth savings?

In detection.


 --
 Jim Lucas

 --
 _
 -- Bandwidth and Colocation Provided by http://www.api-digital.com --
 New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

 asterisk-users mailing list
 To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-05 Thread Steve Edwards

(This horse just won't stay dead...)

My apologies if I mis-attribute who wrote what.


On Fri, Dec 2, 2011 at 11:35 AM, Jim Lucas li...@cmsws.com wrote:


How is using Fail2Ban less resource intensive then me writing (by hand) 
iptable rules?


On Mon, 5 Dec 2011, C F wrote:

Sorry I wasnt very clear in my first writing, I'll try to clarify. Using 
iptables only detects one type of attack (aggressive connections). While 
his machines might be secure enough to allow any other attacks and still 
not compromise his machine, iptables will still allow them thru and 
therefore the attack will be using his bandwidth/resources, with f2b one 
can add as many rules as/when they arrive.


I think you are over-generalizing.

You can write iptables rules to detect and respond to many types of 
attacks.


Since F2B is just an automated front end to iptables you can have as many 
rules as you need with or without F2B. Also, since packets are 'stopped' 
at the same place (iptables) any bandwidth savings would only be to 
services that you are running that either aren't or can't* be nailed down.


Also, since both methods involve the use of iptables, where exactly is 
the bandwidth savings?



In detection.


How about 'in responding to an attack your iptables rules don't already 
mitigate and you do have F2B rules defined for?' 'Detecting' an attack 
means close to nothing if you don't respond to it :)


I'm not hating on F2B, it's just not a silver bullet nor is it appropriate 
for all environments.


Your security needs depends on your environment. At this point in time, 
all of the hosts I manage for my clients exist in very limited 
environments and have very small attack surfaces. They are racked in 
secure data centers. They only accept SIP from clients with static IP 
addresses that we have an existing business relationship with. They only 
accept SSH connections from me. They only accept HTTP connections from me 
and my boss. That's about it. I don't see where F2B adds much value for 
me.


*) Lots of admins think they can't limit access to servers because they 
have 'mobile' users. Your users probably don't need to access your servers 
from every single place on the Internet. If your users don't come from 
China, North Korea, Iran, etc, you can block entire regions with a few 
rules and eliminate 80% of probes and attacks from reaching your servers 
in the first place. Apologies in advance if you happen to live in some of 
these regions -- feel free to `s/China, North Korea, Iran/United States, 
Canada, England/g`


--
Thanks in advance,
-
Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
Newline  Fax: +1-760-731-3000

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-05 Thread C F
On Mon, Dec 5, 2011 at 9:51 PM, Steve Edwards asterisk@sedwards.com wrote:
 (This horse just won't stay dead...)

 My apologies if I mis-attribute who wrote what.

 On Fri, Dec 2, 2011 at 11:35 AM, Jim Lucas li...@cmsws.com wrote:


 How is using Fail2Ban less resource intensive then me writing (by hand)
 iptable rules?


 On Mon, 5 Dec 2011, C F wrote:

 Sorry I wasnt very clear in my first writing, I'll try to clarify. Using
 iptables only detects one type of attack (aggressive connections). While his
 machines might be secure enough to allow any other attacks and still not
 compromise his machine, iptables will still allow them thru and therefore
 the attack will be using his bandwidth/resources, with f2b one can add as
 many rules as/when they arrive.


 I think you are over-generalizing.

 You can write iptables rules to detect and respond to many types of attacks.

Possible. But working off the logs makes lots more sense for creating
more accurate to the point rules, and to mention on the fly.


 Since F2B is just an automated front end to iptables you can have as many
 rules as you need with or without F2B. Also, since packets are 'stopped' at
 the same place (iptables) any bandwidth savings would only be to services
 that you are running that either aren't or can't* be nailed down.

You didn't get my point. If someone is trying to exploit some type of
dialplan hack in slow motion. iptables will probably not detect it and
your machine is secure enough that the exploit doesn't work, but the
script kiddie behind the attack doesn't know that and keeps trying.
Your wasting resources and bandwidth. With f2b you can have him added
to iptables after the first try. Once all packets are dropped from
that IP, while the attacker is still using resources/bandwidth while
trying after a while they will stop as all packets are dropped. The
reason they are trying is because it wasn't blocked but now that it is
they will stop.


 Also, since both methods involve the use of iptables, where exactly is
 the bandwidth savings?


 In detection.


 How about 'in responding to an attack your iptables rules don't already
 mitigate and you do have F2B rules defined for?' 'Detecting' an attack means
 close to nothing if you don't respond to it :)

I think you are just explaining my point. Correct me if I'm wrong.


 I'm not hating on F2B, it's just not a silver bullet nor is it appropriate
 for all environments.

Agreed, like another poster said, its the easy way out since it's an
easy front end. The only reason for this thread is because someone
mentioned he doesn't *need* it.


 Your security needs depends on your environment. At this point in time, all
 of the hosts I manage for my clients exist in very limited environments and
 have very small attack surfaces. They are racked in secure data centers.

Speaking of which, how secure? I have biometrics access to about a
dozen such centers. Once inside the center how hard is it really to do
what you want?

 They only accept SIP from clients with static IP addresses that we have an
 existing business relationship with. They only accept SSH connections from
 me. They only accept HTTP connections from me and my boss. That's about it.
 I don't see where F2B adds much value for me.

Well others keep their servers shut. While I'm sarcastic, I'm also
trying to say its way to overdone. A good IDS/IPS will do, there is
really no reason to this. Except in environments that require it, in
my opinion national infrastructure etc.


 *) Lots of admins think they can't limit access to servers because they have
 'mobile' users. Your users probably don't need to access your servers from
 every single place on the Internet. If your users don't come from China,
 North Korea, Iran, etc, you can block entire regions with a few rules and
 eliminate 80% of probes and attacks from reaching your servers in the first
 place. Apologies in advance if you happen to live in some of these regions
 -- feel free to `s/China, North Korea, Iran/United States, Canada,
 England/g`

 --
 Thanks in advance,
 -
 Steve Edwards       sedwa...@sedwards.com      Voice: +1-760-468-3867 PST
 Newline                                              Fax: +1-760-731-3000

 --
 _
 -- Bandwidth and Colocation Provided by http://www.api-digital.com --
 New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

 asterisk-users mailing list
 To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE 

Re: [asterisk-users] A new hack?

2011-12-02 Thread Jim Lucas
On 11/26/2011 5:00 PM, C F wrote:
 On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson
 gordon+aster...@drogon.net wrote:
 On Sat, 26 Nov 2011, Terry Brummell wrote:

 Install  Configure Fail2Ban then the host will be blocked from
 connecting.  And no, it's not new.

 I don't need Fail2Ban, thank you. But your advice might be useful to others.
 
 Why is that?
 Even if they don't compromise an account they are still using your
 bandwidth and resources on your machine.
 

How is using Fail2Ban less resource intensive then me writing (by hand) iptable
rules?

Also, since both methods involve the use of iptables, where exactly is the
bandwidth savings?

-- 
Jim Lucas

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-02 Thread Danny Nicholas
Fail2ban assumes that #1 your environment is (wide) open and #2 you will
need to update iptables on an instant response to attack basis.  If you
are open enough, even fail2ban isn't going to really help.  If you have a
sufficiently written set of iptables rules (or you aren't allowing external
SIP/TCP/UDP traffic) you shouldn't (just my opinion) need fail2ban at all.

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Jim Lucas
Sent: Friday, December 02, 2011 10:35 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] A new hack?

On 11/26/2011 5:00 PM, C F wrote:
 On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson 
 gordon+aster...@drogon.net wrote:
 On Sat, 26 Nov 2011, Terry Brummell wrote:

 Install  Configure Fail2Ban then the host will be blocked from 
 connecting.  And no, it's not new.

 I don't need Fail2Ban, thank you. But your advice might be useful to
others.
 
 Why is that?
 Even if they don't compromise an account they are still using your 
 bandwidth and resources on your machine.
 

How is using Fail2Ban less resource intensive then me writing (by hand)
iptable rules?

Also, since both methods involve the use of iptables, where exactly is the
bandwidth savings?

--
Jim Lucas

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to
Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-02 Thread Steve Edwards

On Fri, 2 Dec 2011, Jim Lucas wrote:

How is using Fail2Ban less resource intensive then me writing (by hand) 
iptable rules?


It depends on how you define resources and how much of those resources you 
have.


Gordon (based on my understanding of his posts) does a lot of Asterisk 
systems on very limited hardware hosts. His approach uses iptables 
features to limit the number of SIP INVITES and REGISTERS per second per 
IP address.


Thus, Gordon's approach is more responsive (since it doesn't require 
periodic log file scanning) and requires less hardware resources (since it 
doesn't depend on running relatively 'slothish' resource intensive script 
interpreters like Perl or PHP periodically).


If you have limited admin skills and more hardware resources, F2B makes 
sense.


If you have more admin skills and limited hardware resources, Gordon's 
approach makes more sense.


Personally, I find any approach that tracks log files 'hackish' but if you 
centralize your logging (which I always do) it does allow you to detect 
patterns of abuse across multiple hosts.


--
Thanks in advance,
-
Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
Newline  Fax: +1-760-731-3000

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-02 Thread john Millican

On 12/2/2011 12:44 PM, Steve Edwards wrote:

On Fri, 2 Dec 2011, Jim Lucas wrote:

How is using Fail2Ban less resource intensive then me writing (by 
hand) iptable rules?


It depends on how you define resources and how much of those resources 
you have.


Gordon (based on my understanding of his posts) does a lot of Asterisk 
systems on very limited hardware hosts. His approach uses iptables 
features to limit the number of SIP INVITES and REGISTERS per second 
per IP address.


Thus, Gordon's approach is more responsive (since it doesn't require 
periodic log file scanning) and requires less hardware resources 
(since it doesn't depend on running relatively 'slothish' resource 
intensive script interpreters like Perl or PHP periodically).


If you have limited admin skills and more hardware resources, F2B 
makes sense.


If you have more admin skills and limited hardware resources, Gordon's 
approach makes more sense.


Personally, I find any approach that tracks log files 'hackish' but if 
you centralize your logging (which I always do) it does allow you to 
detect patterns of abuse across multiple hosts.



Now this, I would say was very well put.
As always, just my opinion.
JohnM

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-02 Thread Tom Browning
On Fri, Dec 2, 2011 at 12:44 PM, Steve Edwards
asterisk@sedwards.com wrote:
 Gordon (based on my understanding of his posts) does a lot of Asterisk
 systems on very limited hardware hosts. His approach uses iptables features
 to limit the number of SIP INVITES and REGISTERS per second per IP address.

A very narrow solution to a fairly narrow attack surface and surely
isn't applicable to any medium to large scale solutions.

 Thus, Gordon's approach is more responsive (since it doesn't require
 periodic log file scanning) and requires less hardware resources (since it
 doesn't depend on running relatively 'slothish' resource intensive script
 interpreters like Perl or PHP periodically).

So Fail2Ban is inefficient on how it reads log files?  If so, that
could be an informed criticism of Fail2Ban.

 Personally, I find any approach that tracks log files 'hackish' but if you
 centralize your logging (which I always do) it does allow you to detect
 patterns of abuse across multiple hosts.

Others would say that not using IPS/IDS/adaptive sec appliances is
hackish but I'm not one of those.

There are very efficient ways to read log files even with Perl on
hardware no bigger than my Dockstar when coded properly, so reading
log files isn't hackish.

Looking at advanced threats that are encrypted or otherwise located
within legitimately large streams of UDP and TCP traffic are not going
to lend themselves to some simpleton IP/port/rate iptables rule or
even more complex iptables view into the data.

The application log might be the ONLY place to correlate events.  Good
luck doing that with iptables alone.

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-01 Thread Gordon Henderson

On Tue, 29 Nov 2011, C F wrote:


On Mon, Nov 28, 2011 at 10:57 AM, Tom Browning ttbrown...@gmail.com wrote:

On Sun, Nov 27, 2011 at 8:47 AM, Gordon Henderson
gordon+aster...@drogon.net wrote:

Linux has excellent built-in subsystems to control firewalling and so on
without resorting to external programs. It's called iptables. If you know
how to use them, then using an external resource such as fail2ban is
unneccessary.


That's like saying you don't need FreePBX because you have this thing
called Asterisk.


Very well put.


Indeed. I don't need (nor use) FreePBX.

Gordon

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-01 Thread Gordon Henderson

On Wed, 30 Nov 2011, Tom Browning wrote:


On Tue, Nov 29, 2011 at 4:44 PM, john Millican j...@millican.us wrote:


Maybe I am misunderstanding the gist of the comment


OP offered an invalid comparison of how iptables is better than Fail2Ban.

Whether or not OP knew that Fail2Ban simply feeds rules to iptables is
unclear from his comments.


Yes, I know exactly how Fail2Ban works.

Gordon

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-01 Thread Gordon Henderson

On Wed, 30 Nov 2011, jon pounder wrote:


On 11/30/2011 09:01 AM, Tom Browning wrote:

I agree - its a bad comparison of 2 different things meant for different 
purposes.


iptables is enforcement, fail2ban is detection.


iptables can also detect and log these detections.

if you have time to sit and make up iptables rules by hand during every hack 
attempt


I don't.

Gordon

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-01 Thread Gordon Henderson

On Tue, 29 Nov 2011, C F wrote:


BTW, you were just proven wrong, you need it for this hack.


In addition to the few hundred protected asterisk installations I run, I 
also run a few honeypots.


Gordon

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-01 Thread Tom Browning
On Thu, Dec 1, 2011 at 8:13 AM, Gordon Henderson
gordon+aster...@drogon.net wrote:

 Yes, I know exactly how Fail2Ban works.

Then you should be able to proffer a better argument of why it isn't necessary.

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-12-01 Thread C F
On Thu, Dec 1, 2011 at 8:15 AM, Gordon Henderson
gordon+aster...@drogon.net wrote:
 On Tue, 29 Nov 2011, C F wrote:

 BTW, you were just proven wrong, you need it for this hack.

 In addition to the few hundred protected asterisk installations I run, I
 also run a few honeypots.

Protected? You don't know that until the next hack comes out.

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-11-30 Thread Tom Browning
On Tue, Nov 29, 2011 at 4:44 PM, john Millican j...@millican.us wrote:

 Maybe I am misunderstanding the gist of the comment

OP offered an invalid comparison of how iptables is better than Fail2Ban.

Whether or not OP knew that Fail2Ban simply feeds rules to iptables is
unclear from his comments.

Log scraping is a time honored and effective method to correlate bad behavior.

Log scraping can see things that no iptables rule would ever find.  Think SSL.

If Fail2Ban is a bad log scraper framework, then criticize it with a
clear understanding of its role.

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-11-30 Thread jon pounder

On 11/30/2011 09:01 AM, Tom Browning wrote:

I agree - its a bad comparison of 2 different things meant for different 
purposes.


iptables is enforcement, fail2ban is detection.

if you have time to sit and make up iptables rules by hand during every 
hack attempt

1) you have too much time on your hands
2) you have too much time on your hands






On Tue, Nov 29, 2011 at 4:44 PM, john Millicanj...@millican.us  wrote:


Maybe I am misunderstanding the gist of the comment

OP offered an invalid comparison of how iptables is better than Fail2Ban.

Whether or not OP knew that Fail2Ban simply feeds rules to iptables is
unclear from his comments.

Log scraping is a time honored and effective method to correlate bad behavior.

Log scraping can see things that no iptables rule would ever find.  Think SSL.

If Fail2Ban is a bad log scraper framework, then criticize it with a
clear understanding of its role.

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-11-29 Thread C F
On Sun, Nov 27, 2011 at 8:47 AM, Gordon Henderson
gordon+aster...@drogon.net wrote:
 On Sat, 26 Nov 2011, C F wrote:

 On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson
 gordon+aster...@drogon.net wrote:

 On Sat, 26 Nov 2011, Terry Brummell wrote:

 Install  Configure Fail2Ban then the host will be blocked from
 connecting.  And no, it's not new.

 I don't need Fail2Ban, thank you. But your advice might be useful to
 others.

 Why is that?
 Even if they don't compromise an account they are still using your
 bandwidth and resources on your machine.

 Linux has excellent built-in subsystems to control firewalling and so on
 without resorting to external programs. It's called iptables. If you know
 how to use them, then using an external resource such as fail2ban is
 unneccessary.
So its not that you don't need it, but you use something else.
BTW, you were just proven wrong, you need it for this hack.

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-11-29 Thread C F
On Mon, Nov 28, 2011 at 10:57 AM, Tom Browning ttbrown...@gmail.com wrote:
 On Sun, Nov 27, 2011 at 8:47 AM, Gordon Henderson
 gordon+aster...@drogon.net wrote:
 Linux has excellent built-in subsystems to control firewalling and so on
 without resorting to external programs. It's called iptables. If you know
 how to use them, then using an external resource such as fail2ban is
 unneccessary.

 That's like saying you don't need FreePBX because you have this thing
 called Asterisk.

Very well put.

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-11-29 Thread john Millican



On 11/29/2011 12:48 PM, C F wrote:

On Mon, Nov 28, 2011 at 10:57 AM, Tom Browningttbrown...@gmail.com  wrote:

On Sun, Nov 27, 2011 at 8:47 AM, Gordon Henderson
gordon+aster...@drogon.net  wrote:

Linux has excellent built-in subsystems to control firewalling and so on
without resorting to external programs. It's called iptables. If you know
how to use them, then using an external resource such as fail2ban is
unneccessary.

That's like saying you don't need FreePBX because you have this thing
called Asterisk.

Very well put.

--

This may well turn out to just be troll fodder but I can not resist.
I disagree with the above being very well put, personally I think it is 
the opposite of well put. Maybe I am misunderstanding the gist of the 
comment but, I do not NEED FreePBX, I have Asterisk makes perfect sense 
to me.  I have been using asterisk for a few years now and have not yet 
found anything that I need to do with Asterisk that I must have FreePBX 
to accomplish.  Could I do the same things with FreePBX on top of 
Asterisk, maybe.  I am not an expert in iptables but I have been semi 
successful in adapting what others have done to fit my needs.  I have 
found this to work better FOR ME than Fail2ban. I have used and will 
continue to use Fail2ban for other purposes because I am not an iptables 
expert.  In my opinion one should find the tools that work best for you 
in your situation and use them.  You may well change your mind in the 
future but that is the beauty of this industry, it changes all the time, 
what I feel works best today may well not be what I think works best 
tomorrow as new tools are developed and proven and also as I become more 
experianced with the old tried and true tools.

As usual, just my 2 cents (US currency, exchange rates not compensated for)
JohnM

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-11-28 Thread Tom Browning
On Sun, Nov 27, 2011 at 8:47 AM, Gordon Henderson
gordon+aster...@drogon.net wrote:
 Linux has excellent built-in subsystems to control firewalling and so on
 without resorting to external programs. It's called iptables. If you know
 how to use them, then using an external resource such as fail2ban is
 unneccessary.

That's like saying you don't need FreePBX because you have this thing
called Asterisk.

Though I've never used Fail2Ban, it is an excellent example of
middleware that looks at application level events and feeds updates
to iptables.

So the important blocking is happening in kernel mode, not userland.

Your example:

 For example, with iptables rules you can say something like: If a connection 
 from a remote site to a local port happens more than (say) once a second then 
 drop that connection.

doesn't always work well for some applications.  Ever look at WebDAV
traffic?  Code me an iptables rule that figures out someone is doing
bad things via WebDAV :-)

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-11-27 Thread Gordon Henderson

On Sat, 26 Nov 2011, C F wrote:


On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson
gordon+aster...@drogon.net wrote:

On Sat, 26 Nov 2011, Terry Brummell wrote:


Install  Configure Fail2Ban then the host will be blocked from
connecting.  And no, it's not new.


I don't need Fail2Ban, thank you. But your advice might be useful to others.


Why is that?
Even if they don't compromise an account they are still using your
bandwidth and resources on your machine.


Linux has excellent built-in subsystems to control firewalling and so on 
without resorting to external programs. It's called iptables. If you know 
how to use them, then using an external resource such as fail2ban is 
unneccessary.


For example, with iptables rules you can say something like: If a 
connection from a remote site to a local port happens more than (say) once 
a second then drop that connection.


And that happens right at the kernel level without the need to run any 
userland software, write config files, monitor log files and so on.


I've posted about it in the past - search the archives if you want to know 
more.


Gordon--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] A new hack?

2011-11-26 Thread Gordon Henderson


Or just an old one that I've not noticed before...

Seeing lines like this in the logs:


[Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP 
sip:VOIP@85.25.145.176;tag=E2lb2p9BOJ
[Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP 
sip:VOIP@85.25.145.176;tag=XMDRarBM2w
[Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP 
sip:VOIP@85.25.145.176;tag=AaTE0L0oRj
[Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP 
sip:VOIP@85.25.145.176;tag=igsN240Wr5
[Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP 
sip:VOIP@85.25.145.176;tag=E8Nkbs0Aye
[Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP 
sip:VOIP@85.25.145.176;tag=LEvpc7tK6B
[Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP 
sip:VOIP@85.25.145.176;tag=WrIoZ92YPz
[Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP 
sip:VOIP@85.25.145.176;tag=kuGTjXr7Pd
[Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection for user VOIP 
sip:VOIP@85.25.145.176;tag=ygQBLSjH1m


etc.

The IP address is presumably the IP address of some compromised host (in 
Germany in this case, but I've noticed others around the globe so the 
software doing it would appear to be widespread) - it's not a host that 
should be connecting in.


I supect that some SIP PBX somewhare is vulnerable to having an account 
called VOIP, so this remote attack is trying to compromise that account.


At least it's only once every 2 seconds, so in that respect no worse than 
the multitude of pop/smtp/imap/ssh type attacks that hackers try...


I've seen it on several servers now, always for account VOIP. I'm 
presuming the fake rejection is the side-effect of using 
alwaysauthreject in sip.conf. (if-so, then it's doing the right thing)


But something to look out for just in-case..

Gordon

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-11-26 Thread Terry Brummell
Install  Configure Fail2Ban then the host will be blocked from
connecting.  And no, it's not new.

-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gordon
Henderson
Sent: Saturday, November 26, 2011 6:55 AM
To: Asterisk Users Mailing List Discussion
Subject: [asterisk-users] A new hack?


Or just an old one that I've not noticed before...

Seeing lines like this in the logs:


[Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=E2lb2p9BOJ
[Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=XMDRarBM2w
[Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=AaTE0L0oRj
[Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=igsN240Wr5
[Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=E8Nkbs0Aye
[Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=LEvpc7tK6B
[Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=WrIoZ92YPz
[Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=kuGTjXr7Pd
[Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=ygQBLSjH1m


etc.

The IP address is presumably the IP address of some compromised host (in

Germany in this case, but I've noticed others around the globe so the 
software doing it would appear to be widespread) - it's not a host that 
should be connecting in.

I supect that some SIP PBX somewhare is vulnerable to having an account 
called VOIP, so this remote attack is trying to compromise that
account.

At least it's only once every 2 seconds, so in that respect no worse
than 
the multitude of pop/smtp/imap/ssh type attacks that hackers try...

I've seen it on several servers now, always for account VOIP. I'm 
presuming the fake rejection is the side-effect of using 
alwaysauthreject in sip.conf. (if-so, then it's doing the right thing)

But something to look out for just in-case..

Gordon

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-11-26 Thread Gordon Henderson

On Sat, 26 Nov 2011, Terry Brummell wrote:


Install  Configure Fail2Ban then the host will be blocked from
connecting.  And no, it's not new.


I don't need Fail2Ban, thank you. But your advice might be useful to 
others.


Gordon





-Original Message-
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gordon
Henderson
Sent: Saturday, November 26, 2011 6:55 AM
To: Asterisk Users Mailing List Discussion
Subject: [asterisk-users] A new hack?


Or just an old one that I've not noticed before...

Seeing lines like this in the logs:


[Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=E2lb2p9BOJ
[Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=XMDRarBM2w
[Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=AaTE0L0oRj
[Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=igsN240Wr5
[Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=E8Nkbs0Aye
[Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=LEvpc7tK6B
[Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=WrIoZ92YPz
[Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=kuGTjXr7Pd
[Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user VOIP sip:VOIP@85.25.145.176;tag=ygQBLSjH1m


etc.

The IP address is presumably the IP address of some compromised host (in

Germany in this case, but I've noticed others around the globe so the
software doing it would appear to be widespread) - it's not a host that
should be connecting in.

I supect that some SIP PBX somewhare is vulnerable to having an account
called VOIP, so this remote attack is trying to compromise that
account.

At least it's only once every 2 seconds, so in that respect no worse
than
the multitude of pop/smtp/imap/ssh type attacks that hackers try...

I've seen it on several servers now, always for account VOIP. I'm
presuming the fake rejection is the side-effect of using
alwaysauthreject in sip.conf. (if-so, then it's doing the right thing)

But something to look out for just in-case..

Gordon

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
  http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


Re: [asterisk-users] A new hack?

2011-11-26 Thread C F
On Sat, Nov 26, 2011 at 7:50 AM, Gordon Henderson
gordon+aster...@drogon.net wrote:
 On Sat, 26 Nov 2011, Terry Brummell wrote:

 Install  Configure Fail2Ban then the host will be blocked from
 connecting.  And no, it's not new.

 I don't need Fail2Ban, thank you. But your advice might be useful to others.

Why is that?
Even if they don't compromise an account they are still using your
bandwidth and resources on your machine.

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
   http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users