Or just an old one that I've not noticed before... Seeing lines like this in the logs: [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=E2lb2p9BOJ [Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=XMDRarBM2w [Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=AaTE0L0oRj [Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=igsN240Wr5 [Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=E8Nkbs0Aye [Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=LEvpc7tK6B [Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=WrIoZ92YPz [Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=kuGTjXr7Pd [Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=ygQBLSjH1m etc. The IP address is presumably the IP address of some compromised host (in Germany in this case, but I've noticed others around the globe so the software doing it would appear to be widespread) - it's not a host that should be connecting in. I supect that some SIP PBX somewhare is vulnerable to having an account called "VOIP", so this remote attack is trying to compromise that account. At least it's only once every 2 seconds, so in that respect no worse than the multitude of pop/smtp/imap/ssh type attacks that hackers try... I've seen it on several servers now, always for account VOIP. I'm presuming the "fake rejection" is the side-effect of using alwaysauthreject in sip.conf. (if-so, then it's doing the right thing) But something to look out for just in-case.. Gordon
Install & Configure Fail2Ban then the host will be blocked from
connecting. And no, it's not new.
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Gordon
Henderson
Sent: Saturday, November 26, 2011 6:55 AM
To: Asterisk Users Mailing List Discussion
Subject: [asterisk-users] A new hack?
Or just an old one that I've not noticed before...
Seeing lines like this in the logs:
[Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=E2lb2p9BOJ
[Nov 26 08:47:17] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=XMDRarBM2w
[Nov 26 08:47:19] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=AaTE0L0oRj
[Nov 26 08:47:21] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=igsN240Wr5
[Nov 26 08:47:23] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=E8Nkbs0Aye
[Nov 26 08:47:25] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=LEvpc7tK6B
[Nov 26 08:47:27] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=WrIoZ92YPz
[Nov 26 08:47:29] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=kuGTjXr7Pd
[Nov 26 08:47:31] NOTICE[789] chan_sip.c: Sending fake auth rejection
for user "VOIP" <sip:VOIP at 85.25.145.176>;tag=ygQBLSjH1m
etc.
The IP address is presumably the IP address of some compromised host (in
Germany in this case, but I've noticed others around the globe so the
software doing it would appear to be widespread) - it's not a host that
should be connecting in.
I supect that some SIP PBX somewhare is vulnerable to having an account
called "VOIP", so this remote attack is trying to compromise that
account.
At least it's only once every 2 seconds, so in that respect no worse
than
the multitude of pop/smtp/imap/ssh type attacks that hackers try...
I've seen it on several servers now, always for account VOIP. I'm
presuming the "fake rejection" is the side-effect of using
alwaysauthreject in sip.conf. (if-so, then it's doing the right thing)
But something to look out for just in-case..
Gordon
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
On 11/30/2011 09:01 AM, Tom Browning wrote: I agree - its a bad comparison of 2 different things meant for different purposes. iptables is enforcement, fail2ban is detection. if you have time to sit and make up iptables rules by hand during every hack attempt 1) you have too much time on your hands 2) you have too much time on your hands> On Tue, Nov 29, 2011 at 4:44 PM, john Millican<john at millican.us> wrote: > >> Maybe I am misunderstanding the gist of the comment > OP offered an invalid comparison of how iptables is better than Fail2Ban. > > Whether or not OP knew that Fail2Ban simply feeds rules to iptables is > unclear from his comments. > > Log scraping is a time honored and effective method to correlate bad behavior. > > Log scraping can see things that no iptables rule would ever find. Think SSL. > > If Fail2Ban is a bad log scraper framework, then criticize it with a > clear understanding of its role. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
On Wed, 30 Nov 2011, Tom Browning wrote:> On Tue, Nov 29, 2011 at 4:44 PM, john Millican <john at millican.us> wrote: > >> Maybe I am misunderstanding the gist of the comment > > OP offered an invalid comparison of how iptables is better than Fail2Ban. > > Whether or not OP knew that Fail2Ban simply feeds rules to iptables is > unclear from his comments.Yes, I know exactly how Fail2Ban works. Gordon