Hello, We had been seeing SIP-guessing attacks on our Asterisk server here. While it wasn't that hard to write a once-a-minute cron job to spank the lusers, that runs once a minute and creates little spikes in the usage and I/O graphs, and is slower to respond than I'd really prefer. I felt that it'd be much cooler to get something more comprehensive put together. We don't use fail2ban because I don't like having to install python. sshguard is a high-performance compiled C application that can run off a log file or a pipe from syslogd to sshguard, meaning that it can respond a lot more quickly than once a minute, and works with very modest overhead on the host system. It also has features such as touchiness, so that it can get tougher on a miscreant as time goes on; my own shell script is naive in that once it passes a threshold, there's just a permanent rule generated. This worries me if I ever have a situation where a legitimate remote client gets messed up and tries the wrong password or something like that; sshguard does a much nicer job in this regard. In any case, my initial attempts to create rules for sshguard didn't work right, quite possibly because I don't often work in LEX/YACC. I submitted a request to the sshguard guys suggesting new rules. http://www.sshguard.net/support/submission/detail/49ce7182028d8b6f3e3d/ and on their mailing list, a little more: http://sourceforge.net/mailarchive/forum.php?thread_name=F4E10075-5D93-43B4-B73A-1FD217BE130D%40sshguard.net&forum_name=sshguard-users In particular, they're looking for log examples of some of those messages, but I have no idea how to generate the conditions that would cause these messages. I'm also not sure if there's a way to disable color codes in the Asterisk log files; we log indirectly via BSD's "logger" # asterisk -vvv 2>&1 | logger -t asterisk so it may be thinking that the console is color-capable. We use this method because this forces them through the syslog mechanism; we need that for centralized logging, and it's handy for things like sshguard too. Specifically looking for examples of (or how to generate) 1) .*No registration for peer '.*' (from <HOST>) 2) .*Host <HOST> failed MD5 authentication for '.*' (.*) 3) .*Failed to authenticate user .*@<HOST>.* If anyone who is more familiar with the attacks or how to generate these messages would give me some assistance, or chime in on the sshguard-users list, that'd be most appreciated. Thanks. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
I do not have log examples to provide but do have info about other issues. There is a nocolor option in asterisk.conf that can turn off color. logger.conf has a provision to use syslog directly. -- Jim Dickenson mailto:dickenson at cfmc.com CfMC http://www.cfmc.com/ On Dec 9, 2010, at 5:57 AM, Joe Greco wrote:> Hello, > > We had been seeing SIP-guessing attacks on our Asterisk server here. > > While it wasn't that hard to write a once-a-minute cron job to spank > the lusers, that runs once a minute and creates little spikes in the > usage and I/O graphs, and is slower to respond than I'd really prefer. > I felt that it'd be much cooler to get something more comprehensive > put together. We don't use fail2ban because I don't like having to > install python. > > sshguard is a high-performance compiled C application that can run > off a log file or a pipe from syslogd to sshguard, meaning that it > can respond a lot more quickly than once a minute, and works with > very modest overhead on the host system. It also has features such > as touchiness, so that it can get tougher on a miscreant as time goes > on; my own shell script is naive in that once it passes a threshold, > there's just a permanent rule generated. This worries me if I ever > have a situation where a legitimate remote client gets messed up and > tries the wrong password or something like that; sshguard does a much > nicer job in this regard. > > In any case, my initial attempts to create rules for sshguard didn't > work right, quite possibly because I don't often work in LEX/YACC. > I submitted a request to the sshguard guys suggesting new rules. > > http://www.sshguard.net/support/submission/detail/49ce7182028d8b6f3e3d/ > > and on their mailing list, a little more: > > http://sourceforge.net/mailarchive/forum.php?thread_name=F4E10075-5D93-43B4-B73A-1FD217BE130D%40sshguard.net&forum_name=sshguard-users > > In particular, they're looking for log examples of some of those > messages, but I have no idea how to generate the conditions that would > cause these messages. I'm also not sure if there's a way to disable > color codes in the Asterisk log files; we log indirectly via BSD's > "logger" > > # asterisk -vvv 2>&1 | logger -t asterisk > > so it may be thinking that the console is color-capable. We use this > method because this forces them through the syslog mechanism; we need > that for centralized logging, and it's handy for things like sshguard > too. > > Specifically looking for examples of (or how to generate) > > 1) .*No registration for peer '.*' (from <HOST>) > 2) .*Host <HOST> failed MD5 authentication for '.*' (.*) > 3) .*Failed to authenticate user .*@<HOST>.* > > If anyone who is more familiar with the attacks or how to generate > these messages would give me some assistance, or chime in on the > sshguard-users list, that'd be most appreciated. > > Thanks. > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "We call it the 'one bite at the apple' rule. Give me one chance [and] then I > won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) > With 24 million small businesses in the US alone, that's way too many apples. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
sorry i am not familiar with sshguard, but you can also try ossec by trend micro http://www.ossec.net/ it can auto-block an IP address using iptables. you can also follow this howto for asterisk: http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/ hope this helps. regards Ron On 12/9/2010 9:57 PM, Joe Greco wrote:> Hello, > > We had been seeing SIP-guessing attacks on our Asterisk server here. > > While it wasn't that hard to write a once-a-minute cron job to spank > the lusers, that runs once a minute and creates little spikes in the > usage and I/O graphs, and is slower to respond than I'd really prefer. > I felt that it'd be much cooler to get something more comprehensive > put together. We don't use fail2ban because I don't like having to > install python. > > sshguard is a high-performance compiled C application that can run > off a log file or a pipe from syslogd to sshguard, meaning that it > can respond a lot more quickly than once a minute, and works with > very modest overhead on the host system. It also has features such > as touchiness, so that it can get tougher on a miscreant as time goes > on; my own shell script is naive in that once it passes a threshold, > there's just a permanent rule generated. This worries me if I ever > have a situation where a legitimate remote client gets messed up and > tries the wrong password or something like that; sshguard does a much > nicer job in this regard. > > In any case, my initial attempts to create rules for sshguard didn't > work right, quite possibly because I don't often work in LEX/YACC. > I submitted a request to the sshguard guys suggesting new rules. > > http://www.sshguard.net/support/submission/detail/49ce7182028d8b6f3e3d/ > > and on their mailing list, a little more: > > http://sourceforge.net/mailarchive/forum.php?thread_name=F4E10075-5D93-43B4-B73A-1FD217BE130D%40sshguard.net&forum_name=sshguard-users > > In particular, they're looking for log examples of some of those > messages, but I have no idea how to generate the conditions that would > cause these messages. I'm also not sure if there's a way to disable > color codes in the Asterisk log files; we log indirectly via BSD's > "logger" > > # asterisk -vvv 2>&1 | logger -t asterisk > > so it may be thinking that the console is color-capable. We use this > method because this forces them through the syslog mechanism; we need > that for centralized logging, and it's handy for things like sshguard > too. > > Specifically looking for examples of (or how to generate) > > 1) .*No registration for peer '.*' (from<HOST>) > 2) .*Host<HOST> failed MD5 authentication for '.*' (.*) > 3) .*Failed to authenticate user .*@<HOST>.* > > If anyone who is more familiar with the attacks or how to generate > these messages would give me some assistance, or chime in on the > sshguard-users list, that'd be most appreciated. > > Thanks. > > ... JG
I'm not sure if this is the log entry you are looking for. I had many of these last night. [Dec 9 06:47:51] NOTICE[5630]: chan_sip.c:15593 handle_request_register: Registration from '"106" <sip:106 at MyWanAddress>' failed for '121.11.158.174' - Wrong password If you need more information from this Asterisk box let me know. I need to find a way to block these also. Gary On 9 Dec 2010 at 7:57, Joe (Joe Greco <asterisk-users at lists.digium.com>) commented about [asterisk-users] Asterisk SIP attac:> Hello, > > We had been seeing SIP-guessing attacks on our Asterisk server here. > > While it wasn't that hard to write a once-a-minute cron job to spank > the lusers, that runs once a minute and creates little spikes in the > usage and I/O graphs, and is slower to respond than I'd really prefer. > I felt that it'd be much cooler to get something more comprehensive > put together. We don't use fail2ban because I don't like having to > install python. > > sshguard is a high-performance compiled C application that can run > off a log file or a pipe from syslogd to sshguard, meaning that it > can respond a lot more quickly than once a minute, and works with > very modest overhead on the host system. It also has features such > as touchiness, so that it can get tougher on a miscreant as time goes > on; my own shell script is naive in that once it passes a threshold, > there's just a permanent rule generated. This worries me if I ever > have a situation where a legitimate remote client gets messed up and > tries the wrong password or something like that; sshguard does a much > nicer job in this regard. > > In any case, my initial attempts to create rules for sshguard didn't > work right, quite possibly because I don't often work in LEX/YACC. > I submitted a request to the sshguard guys suggesting new rules. > > http://www.sshguard.net/support/submission/detail/49ce7182028d8b6f3e3d/ > > and on their mailing list, a little more: > > http://sourceforge.net/mailarchive/forum.php?thread_name=F4E10075-5D93-43B4-B73A-1FD217BE130D%40sshguard.net&forum_name=sshguard-users > > In particular, they're looking for log examples of some of those > messages, but I have no idea how to generate the conditions that would > cause these messages. I'm also not sure if there's a way to disable > color codes in the Asterisk log files; we log indirectly via BSD's > "logger" > > # asterisk -vvv 2>&1 | logger -t asterisk > > so it may be thinking that the console is color-capable. We use this > method because this forces them through the syslog mechanism; we need > that for centralized logging, and it's handy for things like sshguard > too. > > Specifically looking for examples of (or how to generate) > > 1) .*No registration for peer '.*' (from <HOST>) > 2) .*Host <HOST> failed MD5 authentication for '.*' (.*) > 3) .*Failed to authenticate user .*@<HOST>.* > > If anyone who is more familiar with the attacks or how to generate > these messages would give me some assistance, or chime in on the > sshguard-users list, that'd be most appreciated. > > Thanks. > > ... JG > -- > Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net > "We call it the 'one bite at the apple' rule. Give me one chance [and] then I > won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) > With 24 million small businesses in the US alone, that's way too many apples. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
On Thu, Dec 09, 2010 at 07:57:37AM -0600, Joe Greco wrote:> Specifically looking for examples of (or how to generate) > > 1) .*No registration for peer '.*' (from <HOST>) > 2) .*Host <HOST> failed MD5 authentication for '.*' (.*) > 3) .*Failed to authenticate user .*@<HOST>.* > > If anyone who is more familiar with the attacks or how to generate > these messages would give me some assistance, or chime in on the > sshguard-users list, that'd be most appreciated.You could use SIPVicious to run attacks on your own servers: http://code.google.com/p/sipvicious/ -- Daniel Tryba