Greetings all, I have been seeing a lot of [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: Sending fake auth rejection for device 100<sip:100 at 108.161.145.18>;tag=2e921697 in my logs lately. Is there a way to automatically ban IP address from attackers within asterisk ? Thank you
On Wed, Jan 2, 2013 at 3:49 PM, Frank <frank at efirehouse.com> wrote:> Greetings all, > > I have been seeing a lot of > > [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: > Sending fake auth rejection for device 100<sip:100 at 108.161.145.18>;** > tag=2e921697 > > in my logs lately. Is there a way to automatically ban IP address from > attackers within asterisk ? >http://www.fail2ban.org/wiki/index.php/Asterisk -- Carlos Alvarez TelEvolve 602-889-3003 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130102/6b197a7d/attachment.htm>
Hi,
Fail2ban
http://en.gentoo-wiki.com/wiki/HOWTO_fail2ban
-----Mensagem original-----
De: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] Em nome de Frank
Enviada em: quarta-feira, 2 de janeiro de 2013 20:50
Para: Asterisk Users Mailing List - Non-Commercial Discussion
Assunto: [asterisk-users] Auto ban IP addresses
Greetings all,
I have been seeing a lot of
[Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite:
Sending fake auth rejection for device
100<sip:100 at 108.161.145.18>;tag=2e921697
in my logs lately. Is there a way to automatically ban IP address from
attackers within asterisk ?
Thank you
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Howto fail2ban in asterisk
http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk
-----Mensagem original-----
De: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] Em nome de Frank
Enviada em: quarta-feira, 2 de janeiro de 2013 20:50
Para: Asterisk Users Mailing List - Non-Commercial Discussion
Assunto: [asterisk-users] Auto ban IP addresses
Greetings all,
I have been seeing a lot of
[Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite:
Sending fake auth rejection for device
100<sip:100 at 108.161.145.18>;tag=2e921697
in my logs lately. Is there a way to automatically ban IP address from
attackers within asterisk ?
Thank you
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
On Wednesday 02 January 2013, Frank wrote:> Greetings all, > > I have been seeing a lot of > > [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: > Sending fake auth rejection for device > 100<sip:100 at 108.161.145.18>;tag=2e921697 > > in my logs lately. Is there a way to automatically ban IP address from > attackers within asterisk ?There is a more "general-purpose" way to block IP addresses from which unwanted traffic is coming: "fail2ban". This scans various logfiles for failed login attempts, and can insert iptables rules to block the addresses whence they originate. On Ubuntu and Debian, just run $ sudo apt-get install fail2ban -- AJS Answers come *after* questions.
I am using fail2ban on all my asterisk server, but beware, fail2ban can be a dangerous software. The problem rely on the fact that SIP uses UDP, so it is possible to send messages with a forged source IP address. This way the bad guy out there can "ban" all your IP addresses. I say "it is possible" without having investigated in deep details what is really needed to do. Leandro 2013/1/3 ?der <eder at openminds.com.br>> Howto fail2ban in asterisk > > > http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk > > > > -----Mensagem original----- > De: asterisk-users-bounces at lists.digium.com > [mailto:asterisk-users-bounces at lists.digium.com] Em nome de Frank > Enviada em: quarta-feira, 2 de janeiro de 2013 20:50 > Para: Asterisk Users Mailing List - Non-Commercial Discussion > Assunto: [asterisk-users] Auto ban IP addresses > > Greetings all, > > I have been seeing a lot of > > [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: > Sending fake auth rejection for device > 100<sip:100 at 108.161.145.18>;tag=2e921697 > > in my logs lately. Is there a way to automatically ban IP address from > attackers within asterisk ? > > > Thank you > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130103/c28c6bc9/attachment.htm>
On Thu, 2013-01-03 at 09:42 +0100, Leandro Dardini wrote:> I am using fail2ban on all my asterisk server, but beware, fail2ban > can be a dangerous software. The problem rely on the fact that SIP > uses UDP, so it is possible to send messages with a forged source IP > address. This way the bad guy out there can "ban" all your IP > addresses. I say "it is possible" without having investigated in deep > details what is really needed to do. > >The jail.conf in fail2ban allows for a whitelist of IPs that will never be banned -- Ishfaq Malik <ish at pack-net.co.uk> Department: VOIP Support Company: Packnet Limited t: +44 (0)845 004 4994 f: +44 (0)161 660 9825 e: ish at pack-net.co.uk w: http://www.pack-net.co.uk Registered Address: PACKNET LIMITED, 2A ENTERPRISE HOUSE, LLOYD STREET NORTH, MANCHESTER SCIENCE PARK, MANCHESTER, M156SE COMPANY REG NO. 04920552
On Wednesday, January 2, 2013, Frank wrote:> Is there a way to automatically ban IP address from > attackers within asterisk ?As others have mentioned, fail2ban does a good job. However, it may not be enough as these attacks sometimes come from older versions of the SipVicious hacking tool that keep trying even after they cease getting a response -- i.e. the attack continues even after fail2ban has jailed the host, which eats into your bandwidth and can cause denial of service in extreme cases. FWIW, I suffered one such attack last year after my router died and the temporary replacement couldn't selectively block or forward UDP 5060 based on WAN IP address. The attack continued for over eight days and consumed over a gigabyte a day of my bandwidth for the first three of those days -- until I'd replaced the temporary router and taken proactive measures. An initial LART to the attacking host's owner and their provider achieved little. I ended up installing SipVicious to a virtual machine to which I router all SIP requests from the attacker. On the VM I set up svcrash to automatically crash the attacking script each time it received a SIP request. This cut the attack down to one request every couple of seconds. In the end, I suggested to the owner of the attacking host that it might be a good idea for them to remove Python unless it was actually needed and in any case to remove from that machine all instances of svwar.py and svcrack.py together with the remainder of the SipVicious suite. The attack stopped shortly after. I suspect that any system that responds to all SIP requests is likely to attract such attacks. My solution is to silently drop SIP traffic from all but my SIP providers, which means that attackers perceive that my Asterisk box doesn't exist. This is not ideal as it also prevents legitimate direct SIP calls and reinvites, but IMO better that than having bandwidth I pay for by the gigabyte consumed by brute force attacks. -- Geoff
> I have been seeing a lot of > > [Jan 2 16:36:31] NOTICE[7519]: chan_sip.c:23149 handle_request_invite: > Sending fake auth rejection for device > 100<sip:100 at 108.161.145.18>;tag=2e921697 > > in my logs lately. Is there a way to automatically ban IP address from > attackers within asterisk ? >You may want to check out this presentation form the last Astricon, it may be relevant: http://www.astricon.net/2012/videos/Automated-Hacker-Mitigation.html Cheers. JR -- JR Richardson Engineering for the Masses