Defending from an attack

General discussions about Asterisk.

Moderators: Moderator, Support

Defending from an attack

Postby rg25 » Thu Jul 09, 2015 6:39 pm

I have noticed that someone tried to call a long distance number. I have turned off allowguest. Does the log, below, suggest the attacker successfully registered as user 1001?

[Jul 9 19:56:16] NOTICE[27785][C-00000031] chan_sip.c: Call from '1001' (88.150.240.85:5070) to extension '011441204894589' rejected because extension not found in context 'ld2-users'.
[Jul 9 19:56:22] WARNING[27785] chan_sip.c: Retransmission timeout reached on transmission 71673ef1bc9058e0933f20e48435093c for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/ ... nsmissions
Packet timed out after 6400ms with no response
[Jul 9 19:56:30] NOTICE[27785][C-00000032] chan_sip.c: Call from '1001' (88.150.240.85:5070) to extension '9011441204894589' rejected because extension not found in context 'ld2-users'.
[Jul 9 19:56:36] WARNING[27785] chan_sip.c: Retransmission timeout reached on transmission 8085339b528605d2052068ad84c8a1a4 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/ ... nsmissions
Packet timed out after 6399ms with no response
[Jul 9 19:56:44] NOTICE[27785][C-00000033] chan_sip.c: Call from '1001' (88.150.240.85:5070) to extension '8011441204894589' rejected because extension not found in context 'ld2-users'.
[Jul 9 19:56:51] WARNING[27785] chan_sip.c: Retransmission timeout reached on transmission f1b9cc40cef08014bdb5e6a1b2f959c4 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/ ... nsmissions
Packet timed out after 6399ms with no response
[Jul 9 20:26:24] NOTICE[27785][C-000000b0] chan_sip.c: Call from '1001' (88.150.240.85:5071) to extension '011441204894589' rejected because extension not found in context 'ld2-users'.
rg25
Newsterisk
 
Posts: 18
Joined: Sun Aug 10, 2014 10:42 am

Re: Defending from an attack

Postby ambiorixg12 » Fri Jul 10, 2015 12:20 am

you should disallow guest calls in your sip.conf file
ambiorixg12
Astmaster
 
Posts: 967
Joined: Sun Mar 04, 2007 9:32 pm
Location: Dominican Republic

Re: Defending from an attack

Postby rg25 » Fri Jul 10, 2015 6:10 am

I did.
rg25
Newsterisk
 
Posts: 18
Joined: Sun Aug 10, 2014 10:42 am

Re: Defending from an attack

Postby striker24x7 » Mon Jul 13, 2015 8:24 am

put alwaysauthreject=yes in sip.conf

and change your sip passwords ( alpha numeric ,non dictonary words)
to avoid this attack

there are lot of ways to protect the asterisk sip server
1. proper firewall
2. fail2ban
3. linux iptables.
best regards
http://www.striker24x7.blogspot.com
striker
skypeid |gtalk : striker24x7
striker24x7
Newsterisk
 
Posts: 40
Joined: Wed Dec 29, 2010 3:07 am
Location: INDIA

Re: Defending from an attack

Postby david55 » Fri Jul 17, 2015 3:40 am

fail2ban works by manipulating iptables, so is not an alternative.
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am

Re: Defending from an attack

Postby mohammadghazaev » Tue Oct 06, 2015 4:49 pm

If possible, restrict the IP address ranges from which SIP clients are allowed to connect. If this is deployed in an office, restrict connections to port 5060 to IP addresses within the locations(s) where the phones are located. If you must accept connections from Internet addresses not within your control, consider blocking country-specific IP address ranges.

Do not use the SIP extension number as the username. If your SIP clients support it, give them all names instead.

Set strong passwords for all SIP extensions. This should be obvious, but isn't always so.

From reading the logs attached to your previous question, I was able to determine that you had a SIP extension defined with the username 1, with a secret so easy to guess that the attacker got it correct on the first attempt. The extension probably had no secret defined at all.

Use alwaysauthreject=yes in sip.conf. This prevents attackers from being able to determine if a SIP extension exists via brute force.

Use allowguest=no in sip.conf. This prevents unauthenticated clients from making calls.
mohammadghazaev
Newsterisk
 
Posts: 2
Joined: Mon Oct 05, 2015 10:35 am


Return to Asterisk General

Who is online

Users browsing this forum: No registered users and 2 guests