Some !@$#@@# in the Czech Republic used one of our SIP accounts to place four thousand calls to what appears to be a toll number in Zimbabwe last night. Filter 82.150.165.5. A more overriding problem for me is how do we know what *destinations* to filter so this idea of war dialing a toll number is something we can cutoff before it gets to our upstream provider? Is there some collected list of toll prefixes that I can filter on? Cheers, j
On Wed, 23 Jun 2010, Jeff LaCoursiere wrote:> Some !@$#@@# in the Czech Republic used one of our SIP accounts to place > four thousand calls to what appears to be a toll number in Zimbabwe last > night. Filter 82.150.165.5. > > A more overriding problem for me is how do we know what *destinations* to > filter so this idea of war dialing a toll number is something we can > cutoff before it gets to our upstream provider? Is there some collected > list of toll prefixes that I can filter on?How did they guess the SIP username and password? That's what I'm more concerend about... Gordon
you can start by simply telling us what is the purpose of your server.. and does it have long distance of overseas?? do you use Numeric usernames? simple passwords? passwords the same as your username? this way you can offer more info so we can help you.a quick answer will be.. opening a few and blocking ALL is easier.. as you can have upto 400 prefix to block .. unless you call world wide.. then you will have to block the countries you don't call .. another option.. make your usernames more complex.. letters and numbers.. an additional option is to use fail2ban with Asterisk support.. it will block the IP after the number of attempts you set in the configs. a client of mine wanted simple usernames and passwords to be setup using the keypad on the ipphones.. two months ago they had the same problem you faced.. 400$ to Zimbabway .. and later on 1200$ to Zimbabway.. their provider have a limit of 30 minutes per call .. so the caller had to redial.. unless it's automated.still you can provide us with more info.Regards -- Tarek Sawah Integrated Digital Systems CCNA, MCSE, RHCE, VoIP USA: +1 386 492 9993> Date: Wed, 23 Jun 2010 16:08:51 +0000 > From: jeff at sunfone.com > To: asterisk-users at lists.digium.com > Subject: [asterisk-users] one for your filters > > > Some !@$#@@# in the Czech Republic used one of our SIP accounts to place > four thousand calls to what appears to be a toll number in Zimbabwe last > night. Filter 82.150.165.5. > > A more overriding problem for me is how do we know what *destinations* to > filter so this idea of war dialing a toll number is something we can > cutoff before it gets to our upstream provider? Is there some collected > list of toll prefixes that I can filter on? > > Cheers, > > j > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users_________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100623/839a0c59/attachment.htm
You can look at it a few different ways. Use one or more methods: 1. If you are allowing SIP phones to register from anywhere (inside and outside your network), make sure all the extensions have VERY strong passwords (12 characters or more of absolute jibberish). 2. Use deny/permit for those extensions that will only be registered inside your network. Those trying from the outside will never succeed. 3. Restrict the type of calls those extensions can make. If noone should ever call international numbers, don't put it as an option. Using _91NXXNXXXXXX and _9NXXXXXX (Assuming US - sorry) limits the ability of the extension. There is only one person in our organization that would ever make international calls, so I added a context where he is the only one that can make those calls. And, even then, I made sure that extension can't call places where he shouldn't call (Cuba, etc) AND that extension can't register from outside our network. Using the default Asterisk settings is great for making sure that things are working the way you want, but only after securing your Asterisk server will it work the way you need. Hope that helps. Good luck. -- Dean Hoover On 6/23/2010 11:08 AM, Jeff LaCoursiere wrote:> > Some !@$#@@# in the Czech Republic used one of our SIP accounts to place > four thousand calls to what appears to be a toll number in Zimbabwe last > night. Filter 82.150.165.5. > > A more overriding problem for me is how do we know what *destinations* to > filter so this idea of war dialing a toll number is something we can > cutoff before it gets to our upstream provider? Is there some collected > list of toll prefixes that I can filter on? > > Cheers, > > j >
On Wed, 23 Jun 2010, Jeff LaCoursiere wrote:> Some !@$#@@# in the Czech Republic used one of our SIP accounts to place > four thousand calls to what appears to be a toll number in Zimbabwe last > night. Filter 82.150.165.5.Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list If you don't need to receive packets from far away places, it's a great start. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000
On 23 Jun 2010, at 18:39, Steve Edwards wrote:> Ouch. 82.0.0.0/8 is on my block list, available at: > > http://www.sedwards.com/class-a-block-listWould advise people in the UK do not use that list... 82.0.0.0/8 would block a reasonable chunk of my users for starters.. Steve
> I'm still trying to figure that out. Our SIP usernames are seven digit > phone numbers, so not really difficult to guess, but the passwords are 7 > char alpha-numeric strings, auto generated. We don't at present restrict > people to their addresses, as some are dynamic.If they're randomly generated (which might not be the same as "auto generated") then that *ought* to be a big enough namespace to provide reasonable resistance to cracking... 78 billion combinations at least (assuming upper-case alpha and numeric characters). Do your logs show a lot of failed registrations? A brute- force password-guessing attack ought to show up in this way (and is thus good fodder for a Fail2Ban auto-jailing). You should check your Asterisk configuration to make triple-sure that: (1) Inbound "guest" calls go only to a restrictive context which will allow calling of only your own specific extensions, and (2) You don't have DISA enabled on any extension... a short DISA passcode and a guessable DISA extension number could be an expensive vulnerability.