LinuxMCE Forums

General => Users => Topic started by: brononius on March 18, 2016, 04:45:59 am

Title: SIP account hacked?
Post by: brononius on March 18, 2016, 04:45:59 am
Hey,

This morning, i've recieved a mail from my sip provider with a bill of about 300 euro's.
Seems that my server is making a lot of calls towards sierra leone. Of course, i don't know anybody over there (I'm from Belgium).

When I check my call records in linuxmce, I see a lot of calls of about 12 seconds.

Any idea how I can solve this?
For the moment, I've just killed the whole server. :$
Title: Re: SIP account hacked?
Post by: cfernandes on March 18, 2016, 01:45:10 pm
Hey,

use fail2ban 

http://wiki.linuxmce.org/index.php/Fail2ban_-_A_tool_against_brute_force
Title: Re: SIP account hacked?
Post by: brononius on March 18, 2016, 01:50:24 pm
Ahhh, fail2ban is already installed on it, but not activated for asterisk...
Will have a look this evening on it. Since I killed the server, a bit hard to reach it. ;)

Thanks already!
Title: Re: SIP account hacked?
Post by: darkwizard864 on March 18, 2016, 08:58:54 pm
fail2ban sucks for asterisk.
use a firewall it better.
Title: Re: SIP account hacked?
Post by: phenigma on March 19, 2016, 01:37:30 am
koffel (darkwizard) fail2ban is designed for this exact purpose and it works very well when configured properly.

J.
Title: Re: SIP account hacked?
Post by: darkwizard864 on March 19, 2016, 04:18:10 pm
phenigma I would agree but I had it correctly installed..but fail2ban depends on iptables working correctly. I did see when I had fail2ban install that there were more attempts on asterisk then with out it..
personal option to you brononius is use a ext. firewall. you be better off.
Title: Re: SIP account hacked?
Post by: Marie.O on March 21, 2016, 05:26:27 pm
brononius,

I had people trying to hack my asterisk as well. So far, they did not succeed.

Question: Did you manually configure any SIP accounts that have dial-out abilities? All the auto installed user in the system have a password that is not easily hacked without a LOT of tries. What I have found out so far is, they mainly try the default things, ie. 2-4 digit phone numbers where password equals phone number.