Re: [asterisk-users] Intruder
Am 16.11.2012 um 18:08 schrieb Michael L. Young: - Original Message - From: Felix Vazquez felix.vazq...@theboshgroup.com To: asterisk-users@lists.digium.com Sent: Friday, November 16, 2012 11:20:46 AM Subject: [asterisk-users] Intruder I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call from '' to extension '90111235551212' rejected because extension not found. I would recommend you read README-SERIOUSLY.bestpractices.txt, top level of source code. Another thing you can do is turn on security logging if you are using Asterisk 10/11. Take a look at logger.conf. It may provide you with some extra information on who is trying to make the call. Take a look at this page: https://wiki.asterisk.org/wiki/display/AST/Important+Security+Considerations I would recommend using fail2ban as well. Michael (elguero) Hi Michael, the security logging in Asterisk 11 was a nice tip. I tried it, but unfortunately it doesn't work over syslog for me, only console and file logging. Do you know if that is on purpose? In AstLinux we have our own kind of Fail2ban solutions which parses the syslog. Michael http://www.mksolutions.info smime.p7s Description: S/MIME cryptographic signature -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Intruder
I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call from '' to extension '90111235551212' rejected because extension not found. Felix This electronic message contains information from BOSH Global Services which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Intruder
Hi Felix, you have several things to check: netstat -a -n --udp --tcp will show you connections and connection attempts on network layer level. You have to look for incoming connections to port 5060 and if the call has been established for connections on your rtp ports. (see rtp.conf). If you can see connections not supposed to be there: thats your intruder ;-) I suggest you disable guest calls and you configure a default context in which dialed extensions can't be routed to charged destinations. sip.conf: allowguests=no defaultcontext=default extensions.conf: [default] exten = _X.,1,Answer() exten = _X.,n,PlayBack(silence/1) exten = _X.,n,PlayBack(ss-noservice) exten = _X.,n,PlayBack(silence/1) exten = _X.,n,MusicOnHold(default,10) exten = _X.,n,PlayBack(silence/1) exten = _X.,n,PlayBack(vm-goodbye) exten = _X.,n,HangUp() The next step would be using fail2ban or something similiar to check the asterisk log for intruders. fail2ban recognized them and dynamically sets appropriate firewall rules. Good luck. best regards, Ruben Am 16.11.2012 17:20, schrieb Felix Vazquez: I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call *from '' *to extension '90111235551212' rejected because extension not found. Felix This electronic message contains information from BOSH Global Services which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Intruder
Hi Felix, ngrep -W byline port 5060|grep -B1 INVITE sip Markus Am 16.11.2012 17:50, schrieb Ruben Rögels: Hi Felix, you have several things to check: netstat -a -n --udp --tcp will show you connections and connection attempts on network layer level. You have to look for incoming connections to port 5060 and if the call has been established for connections on your rtp ports. (see rtp.conf). If you can see connections not supposed to be there: thats your intruder ;-) I suggest you disable guest calls and you configure a default context in which dialed extensions can't be routed to charged destinations. sip.conf: allowguests=no defaultcontext=default extensions.conf: [default] exten = _X.,1,Answer() exten = _X.,n,PlayBack(silence/1) exten = _X.,n,PlayBack(ss-noservice) exten = _X.,n,PlayBack(silence/1) exten = _X.,n,MusicOnHold(default,10) exten = _X.,n,PlayBack(silence/1) exten = _X.,n,PlayBack(vm-goodbye) exten = _X.,n,HangUp() The next step would be using fail2ban or something similiar to check the asterisk log for intruders. fail2ban recognized them and dynamically sets appropriate firewall rules. Good luck. best regards, Ruben Am 16.11.2012 17:20, schrieb Felix Vazquez: I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call *from '' *to extension '90111235551212' rejected because extension not found. Felix This electronic message contains information from BOSH Global Services which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. -- _ -- Bandwidth and Colocation Provided byhttp://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Intruder
- Original Message - From: Felix Vazquez felix.vazq...@theboshgroup.com To: asterisk-users@lists.digium.com Sent: Friday, November 16, 2012 11:20:46 AM Subject: [asterisk-users] Intruder I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call from '' to extension '90111235551212' rejected because extension not found. I would recommend you read README-SERIOUSLY.bestpractices.txt, top level of source code. Another thing you can do is turn on security logging if you are using Asterisk 10/11. Take a look at logger.conf. It may provide you with some extra information on who is trying to make the call. Take a look at this page: https://wiki.asterisk.org/wiki/display/AST/Important+Security+Considerations I would recommend using fail2ban as well. Michael (elguero) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Intruder
I created my own Whitelist and Blacklist system. When I make an outgoing call, the number is automatically added to my Whitelist database and I can add numbers to the Blacklist manually or by pressing the *. You can use this for incoming/outgoing calls however you want to setup your extensions. If a Whitelisted caller is calling, I change the Caller(name) = Whitelist so I know it's ok to answer. If a Blacklisted caller is calling, I play a message and hangup. I get a lot of 8** calls from solicitors so here is my dialplan and database: I pass the call to these Macros before it reaches anyone and I can block calls by date time too. Mysql Blacklist Database blacklistid, callerid_from, callerid_to, description, times, days, months, playback 35, '%8775160592', '%', 'Solicitor keeps calling, '*', '*', '*', 'discon-or-out-of-service' 32, '%', '%2134271', 'Kids Friends cant call after midnight and before 8am', '00:00-08:00', '*', '*', 'sorry-cant-let-you-do-that2please-try-again-later' [trunk] .. exten = _X!,n,Macro(blacklist,${CALLERID(num)},${EXTEN}) exten = _X!,n,Macro(whitelist,${CALLERID(num)},${EXTEN}) exten = _X!,n,Set(DB(global/lastcallerid)=${CALLERID(num)}) exten = _X!,n,Goto(incoming,start,1) [macro-blacklist] exten = s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass} ${db_name}) exten = s,n,MYSQL(Query resultid ${connid} SELECT blacklistid, callerid_from, callerid_to, times, days, months, playback FROM blacklist WHERE '${ARG1}' LIKE callerid_from AND '${ARG2}' LIKE callerid_to) exten = s,n,MYSQL(Fetch fetchid ${resultid} blacklistid callerid1 callerid2 times days months playback) exten = s,n,MYSQL(Clear ${resultid}) exten = s,n,MYSQL(Disconnect ${connid}) exten = s,n,GoToIf($[${blacklistid} = ]?call,1:time,1) exten = time,1,GotoIfTime(${times},${days},${months}?fail,1:call,1) exten = fail,1,NoOp(Blacklisted ${callerid1} to ${callerid2}) exten = fail,n,GoTo(blacklisted,s,1) exten = call,1,NoOp(Not Blacklisted ${ARG1} to ${ARG2}) [macro-blacklist-add] exten = s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass} ${db_name}) exten = s,n,MYSQL(Query resultid ${connid} INSERT IGNORE INTO blacklist (callerid_to, callerid_from, description) VALUES ('${ARG1}','${ARG2}','Blacklisted')) exten = s,n,MYSQL(Disconnect ${connid}) [macro-whitelist] exten = s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass} ${db_name}) exten = s,n,MYSQL(Query resultid ${connid} SELECT whitelistid, callerid_from, callerid_to, description FROM whitelist WHERE '${ARG1}' LIKE callerid_from AND '${ARG2}' LIKE callerid_to) exten = s,n,MYSQL(Fetch fetchid ${resultid} whitelistid callerid1 callerid2 description) exten = s,n,MYSQL(Clear ${resultid}) exten = s,n,MYSQL(Disconnect ${connid}) exten = s,n,GoToIf($[${whitelistid} = ]?not,1:is,1) exten = is,1,NoOp(Whitelisted ${ARG1} to ${ARG2}) exten = is,n,Set(CALLERID(name)=${description}) exten = not,1,NoOp(Not Whitelisted ${ARG1} to ${ARG2}) exten = not,n,Set(CALLERID(name)=Unknown) [macro-whitelist-add] exten = s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass} ${db_name}) exten = s,n,MYSQL(Query resultid ${connid} INSERT IGNORE INTO whitelist (callerid_to, callerid_from) VALUES ('%','${ARG2}')) exten = s,n,MYSQL(Disconnect ${connid}) [blacklisted] exten = s,1,Set(CALLERID(name)=Blacklisted) exten = s,n,Wait(3) exten = s,n,Playback(${playback}) exten = s,n,HangUp() If you want to add a KEY to your dialplan to add to blacklist or whitelist: [roy] exten = roy,*,Macro(blacklist-add,%,${DB(global/lastcallerid)}) exten = roy,#,Macro(whitelist-add,%,${DB(global/lastcallerid)}) Co-op Vacation Rentals www.coopvr.com 15218 Summit Ave Suite #300-354 Fontana, CA 92336 Phone/Fax (855) 760-COOP (2667) On 11/16/2012 8:20 AM, Felix Vazquez wrote: I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call *from '' *to extension '90111235551212' rejected because extension not found. Felix This electronic message contains information from BOSH Global Services which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: