Re: [asterisk-users] Intruder
Am 16.11.2012 um 18:08 schrieb Michael L. Young: - Original Message - From: Felix Vazquez felix.vazq...@theboshgroup.com To: asterisk-users@lists.digium.com Sent: Friday, November 16, 2012 11:20:46 AM Subject: [asterisk-users] Intruder I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call from '' to extension '90111235551212' rejected because extension not found. I would recommend you read README-SERIOUSLY.bestpractices.txt, top level of source code. Another thing you can do is turn on security logging if you are using Asterisk 10/11. Take a look at logger.conf. It may provide you with some extra information on who is trying to make the call. Take a look at this page: https://wiki.asterisk.org/wiki/display/AST/Important+Security+Considerations I would recommend using fail2ban as well. Michael (elguero) Hi Michael, the security logging in Asterisk 11 was a nice tip. I tried it, but unfortunately it doesn't work over syslog for me, only console and file logging. Do you know if that is on purpose? In AstLinux we have our own kind of Fail2ban solutions which parses the syslog. Michael http://www.mksolutions.info smime.p7s Description: S/MIME cryptographic signature -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Intruder
I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call from '' to extension '90111235551212' rejected because extension not found. Felix This electronic message contains information from BOSH Global Services which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Intruder
Hi Felix, you have several things to check: netstat -a -n --udp --tcp will show you connections and connection attempts on network layer level. You have to look for incoming connections to port 5060 and if the call has been established for connections on your rtp ports. (see rtp.conf). If you can see connections not supposed to be there: thats your intruder ;-) I suggest you disable guest calls and you configure a default context in which dialed extensions can't be routed to charged destinations. sip.conf: allowguests=no defaultcontext=default extensions.conf: [default] exten = _X.,1,Answer() exten = _X.,n,PlayBack(silence/1) exten = _X.,n,PlayBack(ss-noservice) exten = _X.,n,PlayBack(silence/1) exten = _X.,n,MusicOnHold(default,10) exten = _X.,n,PlayBack(silence/1) exten = _X.,n,PlayBack(vm-goodbye) exten = _X.,n,HangUp() The next step would be using fail2ban or something similiar to check the asterisk log for intruders. fail2ban recognized them and dynamically sets appropriate firewall rules. Good luck. best regards, Ruben Am 16.11.2012 17:20, schrieb Felix Vazquez: I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call *from '' *to extension '90111235551212' rejected because extension not found. Felix This electronic message contains information from BOSH Global Services which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Intruder
Hi Felix, ngrep -W byline port 5060|grep -B1 INVITE sip Markus Am 16.11.2012 17:50, schrieb Ruben Rögels: Hi Felix, you have several things to check: netstat -a -n --udp --tcp will show you connections and connection attempts on network layer level. You have to look for incoming connections to port 5060 and if the call has been established for connections on your rtp ports. (see rtp.conf). If you can see connections not supposed to be there: thats your intruder ;-) I suggest you disable guest calls and you configure a default context in which dialed extensions can't be routed to charged destinations. sip.conf: allowguests=no defaultcontext=default extensions.conf: [default] exten = _X.,1,Answer() exten = _X.,n,PlayBack(silence/1) exten = _X.,n,PlayBack(ss-noservice) exten = _X.,n,PlayBack(silence/1) exten = _X.,n,MusicOnHold(default,10) exten = _X.,n,PlayBack(silence/1) exten = _X.,n,PlayBack(vm-goodbye) exten = _X.,n,HangUp() The next step would be using fail2ban or something similiar to check the asterisk log for intruders. fail2ban recognized them and dynamically sets appropriate firewall rules. Good luck. best regards, Ruben Am 16.11.2012 17:20, schrieb Felix Vazquez: I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call *from '' *to extension '90111235551212' rejected because extension not found. Felix This electronic message contains information from BOSH Global Services which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. -- _ -- Bandwidth and Colocation Provided byhttp://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Intruder
- Original Message - From: Felix Vazquez felix.vazq...@theboshgroup.com To: asterisk-users@lists.digium.com Sent: Friday, November 16, 2012 11:20:46 AM Subject: [asterisk-users] Intruder I am in the asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in? This is an example of what I would see: NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call from '' to extension '90111235551212' rejected because extension not found. I would recommend you read README-SERIOUSLY.bestpractices.txt, top level of source code. Another thing you can do is turn on security logging if you are using Asterisk 10/11. Take a look at logger.conf. It may provide you with some extra information on who is trying to make the call. Take a look at this page: https://wiki.asterisk.org/wiki/display/AST/Important+Security+Considerations I would recommend using fail2ban as well. Michael (elguero) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Intruder
I created my own Whitelist and Blacklist system. When I make an
outgoing call, the number is automatically added to my Whitelist
database and I can add numbers to the Blacklist manually or by pressing
the *.
You can use this for incoming/outgoing calls however you want to setup
your extensions.
If a Whitelisted caller is calling, I change the Caller(name) =
Whitelist so I know it's ok to answer.
If a Blacklisted caller is calling, I play a message and hangup.
I get a lot of 8** calls from solicitors so here is my dialplan and
database:
I pass the call to these Macros before it reaches anyone and I can block
calls by date time too.
Mysql Blacklist Database
blacklistid, callerid_from, callerid_to, description, times, days,
months, playback
35, '%8775160592', '%', 'Solicitor keeps calling, '*', '*', '*',
'discon-or-out-of-service'
32, '%', '%2134271', 'Kids Friends cant call after midnight and before
8am', '00:00-08:00', '*', '*',
'sorry-cant-let-you-do-that2please-try-again-later'
[trunk]
..
exten = _X!,n,Macro(blacklist,${CALLERID(num)},${EXTEN})
exten = _X!,n,Macro(whitelist,${CALLERID(num)},${EXTEN})
exten = _X!,n,Set(DB(global/lastcallerid)=${CALLERID(num)})
exten = _X!,n,Goto(incoming,start,1)
[macro-blacklist]
exten = s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass}
${db_name})
exten = s,n,MYSQL(Query resultid ${connid} SELECT blacklistid,
callerid_from, callerid_to, times, days, months, playback FROM blacklist
WHERE '${ARG1}' LIKE callerid_from AND '${ARG2}' LIKE callerid_to)
exten = s,n,MYSQL(Fetch fetchid ${resultid} blacklistid callerid1
callerid2 times days months playback)
exten = s,n,MYSQL(Clear ${resultid})
exten = s,n,MYSQL(Disconnect ${connid})
exten = s,n,GoToIf($[${blacklistid} = ]?call,1:time,1)
exten = time,1,GotoIfTime(${times},${days},${months}?fail,1:call,1)
exten = fail,1,NoOp(Blacklisted ${callerid1} to ${callerid2})
exten = fail,n,GoTo(blacklisted,s,1)
exten = call,1,NoOp(Not Blacklisted ${ARG1} to ${ARG2})
[macro-blacklist-add]
exten = s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass}
${db_name})
exten = s,n,MYSQL(Query resultid ${connid} INSERT IGNORE INTO blacklist
(callerid_to, callerid_from, description) VALUES
('${ARG1}','${ARG2}','Blacklisted'))
exten = s,n,MYSQL(Disconnect ${connid})
[macro-whitelist]
exten = s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass}
${db_name})
exten = s,n,MYSQL(Query resultid ${connid} SELECT whitelistid,
callerid_from, callerid_to, description FROM whitelist WHERE '${ARG1}'
LIKE callerid_from AND '${ARG2}' LIKE callerid_to)
exten = s,n,MYSQL(Fetch fetchid ${resultid} whitelistid callerid1
callerid2 description)
exten = s,n,MYSQL(Clear ${resultid})
exten = s,n,MYSQL(Disconnect ${connid})
exten = s,n,GoToIf($[${whitelistid} = ]?not,1:is,1)
exten = is,1,NoOp(Whitelisted ${ARG1} to ${ARG2})
exten = is,n,Set(CALLERID(name)=${description})
exten = not,1,NoOp(Not Whitelisted ${ARG1} to ${ARG2})
exten = not,n,Set(CALLERID(name)=Unknown)
[macro-whitelist-add]
exten = s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass}
${db_name})
exten = s,n,MYSQL(Query resultid ${connid} INSERT IGNORE INTO whitelist
(callerid_to, callerid_from) VALUES ('%','${ARG2}'))
exten = s,n,MYSQL(Disconnect ${connid})
[blacklisted]
exten = s,1,Set(CALLERID(name)=Blacklisted)
exten = s,n,Wait(3)
exten = s,n,Playback(${playback})
exten = s,n,HangUp()
If you want to add a KEY to your dialplan to add to blacklist or whitelist:
[roy]
exten = roy,*,Macro(blacklist-add,%,${DB(global/lastcallerid)})
exten = roy,#,Macro(whitelist-add,%,${DB(global/lastcallerid)})
Co-op Vacation Rentals
www.coopvr.com
15218 Summit Ave
Suite #300-354
Fontana, CA 92336
Phone/Fax (855) 760-COOP (2667)
On 11/16/2012 8:20 AM, Felix Vazquez wrote:
I am in the asterisk CLI and can see an unidentified caller trying the
make calls out of the asterisk system. How do I stop them? How do I
identify them and how can I see how the go in?
This is an example of what I would see:
NOTICE[4098]: chan_sip.c:20063 handle_request_invite:
Call *from '' *to extension '90111235551212' rejected because
extension not found.
Felix
This electronic message contains information from BOSH Global Services
which may be company sensitive, proprietary, privileged or otherwise
protected from disclosure. The information is intended to be used
solely by the recipient(s) named above. If you are not an intended
recipient, be aware that any review, disclosure, copying, distribution
or use of this transmission or its contents is prohibited. If you have
received this transmission in error, please notify the sender immediately.
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
