Author Topic: SIP account hacked?  (Read 4381 times)

brononius

  • Guru
  • ****
  • Posts: 454
  • Trying to keep it simple and centralized...
    • View Profile
    • OnIrIa - linuxMCE blog
SIP account hacked?
« on: March 18, 2016, 04:45:59 am »
Hey,

This morning, i've recieved a mail from my sip provider with a bill of about 300 euro's.
Seems that my server is making a lot of calls towards sierra leone. Of course, i don't know anybody over there (I'm from Belgium).

When I check my call records in linuxmce, I see a lot of calls of about 12 seconds.

Any idea how I can solve this?
For the moment, I've just killed the whole server. :$
Version: linuxMCE 1404, running virtual on ESXi

Orbiters: ASUS eeePAD, Nexus 5, Huwai, web
Automation: EIB technology, KNX IP ROUTER 750
Phones: Cisco 7912-7940-7960
Camera's: Foscam POE

cfernandes

  • Guru
  • ****
  • Posts: 359
    • View Profile
    • my company web site
Re: SIP account hacked?
« Reply #1 on: March 18, 2016, 01:45:10 pm »

brononius

  • Guru
  • ****
  • Posts: 454
  • Trying to keep it simple and centralized...
    • View Profile
    • OnIrIa - linuxMCE blog
Re: SIP account hacked?
« Reply #2 on: March 18, 2016, 01:50:24 pm »
Ahhh, fail2ban is already installed on it, but not activated for asterisk...
Will have a look this evening on it. Since I killed the server, a bit hard to reach it. ;)

Thanks already!
Version: linuxMCE 1404, running virtual on ESXi

Orbiters: ASUS eeePAD, Nexus 5, Huwai, web
Automation: EIB technology, KNX IP ROUTER 750
Phones: Cisco 7912-7940-7960
Camera's: Foscam POE

darkwizard864

  • Veteran
  • ***
  • Posts: 131
    • View Profile
Re: SIP account hacked?
« Reply #3 on: March 18, 2016, 08:58:54 pm »
fail2ban sucks for asterisk.
use a firewall it better.

phenigma

  • LinuxMCE God
  • ****
  • Posts: 1758
    • View Profile
Re: SIP account hacked?
« Reply #4 on: March 19, 2016, 01:37:30 am »
koffel (darkwizard) fail2ban is designed for this exact purpose and it works very well when configured properly.

J.

darkwizard864

  • Veteran
  • ***
  • Posts: 131
    • View Profile
Re: SIP account hacked?
« Reply #5 on: March 19, 2016, 04:18:10 pm »
phenigma I would agree but I had it correctly installed..but fail2ban depends on iptables working correctly. I did see when I had fail2ban install that there were more attempts on asterisk then with out it..
personal option to you brononius is use a ext. firewall. you be better off.

Marie.O

  • Administrator
  • LinuxMCE God
  • *****
  • Posts: 3676
  • Wastes Life On LinuxMCE Since 2007
    • View Profile
    • My Home
Re: SIP account hacked?
« Reply #6 on: March 21, 2016, 05:26:27 pm »
brononius,

I had people trying to hack my asterisk as well. So far, they did not succeed.

Question: Did you manually configure any SIP accounts that have dial-out abilities? All the auto installed user in the system have a password that is not easily hacked without a LOT of tries. What I have found out so far is, they mainly try the default things, ie. 2-4 digit phone numbers where password equals phone number.