I understood that option worked the other way around so attacker
thinks peer name is invalid even when they hit a real one.
On Wed, Jan 19, 2011 at 2:23 AM, <adamk at 3a.hu>
wrote:> Hi List,
>
> i've been receiving several sip registration probes in the last month,
and
> as this server is a testing site (no external lines, no nothing) i have no
> fail2ban and still not planning to install. ?Whenever i have nagios telling
> me that there is another 'guest', i go and edit iptables manually
and that's
> it.
>
> Recently i discovered that these attacks start with some kind of
dictionary,
> and try to guess valid peer names to use one by one. Apparently after
> quarter million tries, they do find a legitim sip peer name and from that
> point they stick to that peer name and the attack continues to guess only
> passwords. ?Of course, they can not guess passwords like
p(F9j43/Qgrhjv*&^3
> so i'm still not worried, but this made me believe that asterisk
responds
> differently when probing a valid sip peer name.
>
> So i was wondering through the sip.conf and found
'alwaysauthreject' which
> was set to default (commented out). ?I now set its value to yes (which i
> thought was the default setting).
>
> Does this setting makes the attacker believe that the first try of sip peer
> name was valid, but only the password was incorrect? ?So in this case
should
> they stick to the first name tried whatever it was?
>
> thanks
> adam
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> ? ? ? ? ? ? ?http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> ?http://lists.digium.com/mailman/listinfo/asterisk-users
>