SIP account hacked?

[brononius]

Hey,

This morning, i've recieved a mail from my sip provider with a bill of about 300 euro's.
Seems that my server is making a lot of calls towards sierra leone. Of course, i don't know anybody over there (I'm from Belgium).

When I check my call records in linuxmce, I see a lot of calls of about 12 seconds.

Any idea how I can solve this?
For the moment, I've just killed the whole server. :$

[cfernandes]

Hey,

use fail2ban 

http://wiki.linuxmce.org/index.php/Fail2ban_-_A_tool_against_brute_force

[brononius]

Ahhh, fail2ban is already installed on it, but not activated for asterisk...
Will have a look this evening on it. Since I killed the server, a bit hard to reach it.

Thanks already!

[darkwizard864]

fail2ban sucks for asterisk.
use a firewall it better.

[phenigma]

koffel (darkwizard) fail2ban is designed for this exact purpose and it works very well when configured properly.

J.

[darkwizard864]

phenigma I would agree but I had it correctly installed..but fail2ban depends on iptables working correctly. I did see when I had fail2ban install that there were more attempts on asterisk then with out it..
personal option to you brononius is use a ext. firewall. you be better off.

[Marie.O]

brononius,

I had people trying to hack my asterisk as well. So far, they did not succeed.

Question: Did you manually configure any SIP accounts that have dial-out abilities? All the auto installed user in the system have a password that is not easily hacked without a LOT of tries. What I have found out so far is, they mainly try the default things, ie. 2-4 digit phone numbers where password equals phone number.