today I became phone bill from my SIP account provider and it was a shock for me. It was for 1000 EUR. :(
I do not not believed it. Than I examined call log's in FreePBX, there were to see 24 calls to Siera Leone and Litva
total time about 30 minutes. After that I became list of calls from my provider. There were also 24 call's
but total time about 6 hours. I don't understand this. Why has Asterisk different call duration in log as my provider?
I have searched in Asterisk logs and found attack from outside. The hacker has connected to extension 1001 and placed calls.
My first problem was in instruction from my provider. They told me that I must open port 5060 in firewall to be able to
place and receive calls. Before that Asterisk was not able to register in their system. But this was also a open door
and invitation for attacker to connect to on of my extensions. My fault, i did not realize at that moment that this is a big security problem.
Second problem is that the password for certain extension is the same as extension number!!! That's the first a attacker try.
We mus definitely change this. At first install it's OK, but after that, there should be a possibility in Wizard->Phones to change
the password.
Third problems. I also saw in log's other attack to my system. Should we not utilise some sort of program as fail2ban
to protect the system against such attacks?
has someone from you the target of similar attack?
This has already been fixed in the latest snapshots. We generate a strong password now for media director phones and hard phones that have configuration scripts by default.
-Thom
OK I checked it my test setup of 0810 and it's there.
But at home I have 0710. I must definitely upgrade to 0810.
in 0810 version is the port 5060 in firewall default open. that means the attacks wont stop. OK I understand that it's a need to be so.
What do you think about implementing some script to create a ban list for IP addresses that tries to connect many times with bad password or
username? I search for something usable or cook something together with some web interface to show up.
Do you have clue why the log's in asterisk have another call durations as log from my SIP provider? Probably I should ask this in Asterisk forum.
If it can be done in an automated fashion, then go for it.
-Thom
OK. I already started to write a script that search Asterisk log for suspicious behaviour and logs the IP's in database.
Next I write a web Interface for this and a automatic script for firewall update.
I would need some help to ingrate the the web page in to LinuxMCE Admin panel. When I have something usable ready I will write to you.
I had same problem. As an addition in broad voice I banned any international calling. Of course, not everyone can do this but it is a second line of defense. I had calls to Sierra Leone too! Wonder what's going on there?
Randy
Have you guys updated to the latest snapshot yet and re-added your extensions to secure your extensions? I have not had a single issue since we implemented the SIP secret code recently.
I'am working on it.
I have seen that in the latest snapshot.It's OK. But I think the system should ban IP that attacks it. Now I'am studying how to work with IPtables.
Hello ,
i use in my home system a failtoban to create rules on iptables to block attack's
i go to post my rules wheni go home.
Carlos
Hi los93sol
I have seen the updates on the Asterisk secrets which is great but the phones cannot login, I keep getting "chan_sip.c: Registration from '<sip:200@dcerouter>' failed for '192.168.80.1' - Wrong password".
The asterisk tables are correct and the orbiters reflect the passwords but it seems the the orbiter phone software is not using the passwords. if I remove the passwords then orbiter phones login.
Anyone else having these issues.
Regards
interesting it sounds like simplephone did not get updated
LmceCape: Please try again in the next snapshot, it seems I forgot to update the beta page with the pluto-simplephone package so it would get into the snapshots, done now, thanks for the feedback!
Thanks los93sol, I will give it a shot
Cheers
I'm lucky to be reading all these posts and not having setup my host yet. I've used SSHblack in the past and it's easy to just make it look at any other logs so I imagine this should work for this as well.
I'm going to keep on reading.
To the devs: Thanks for all the hard work. I'm very impressed and look forward to setthing things up. Maybe once I have more experience with the environment I'll be able to contribute.
If it ever comes out?
We're constantly making releases as we squash bugs and round things out. Grab a snapshot.
-Thom
We install Asterisk phone systems for UK businesses and use a script called fail2ban, this monitors failed login attempts and then blacklists the IP address that they originate from. The IPs stay blacklisted for whatever length of time you specify in the scripts config. It'll even send you an email to tell you every time it blocks an IP, which is reassuring to start with but gets a bit annoying after a few weeks - too many scripts out now for hacking sip systems - we get around 10 IPs a day blocked by each system, and we put them on a permanant block.
Hope this helps some of you avoid falling into the clutches of these scammers from Sierra Leone.
Another good idea is to set up a trunk that catches international or premium rate numbers that requires a pin to access the trunk.