Steve Totaro
2007-Apr-26 05:44 UTC
[asterisk-users] Asterisk brute force watcher (was FYI)
> -----Original Message----- > From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users- > bounces@lists.digium.com] On Behalf Of J. Oquendo > Sent: Thursday, April 26, 2007 6:47 AM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Subject: [asterisk-users] Asterisk brute force watcher (was FYI) > > Steve Totaro wrote: > > I suspect that this will happen more and more. I also suspect thatmany> > people who have weak SIP credentials like user=100 secret=100 willbe> > the victim of toll fraud and worse, call to 900 and other very high > > termination rates. How does $25 per minute sound? > > > > Thanks, > > Steve Totaro > > http://www.asteriskhelpdesk.com > > KB3OPB > > Ashtray is an Asterisk brute force watcher. Checks logs from cron and > emails admin of potential brute forcers > http://www.infiltrated.net/scripts/ashtray > > Can have it set in .bash_profile so whenever you log on, you'd see > anomalies. > > -- > ===================================================> J. Oquendo > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 > echo infiltrated.net|sed 's/^/sil@/g' > > "Wise men talk because they have something to say; > fools, because they have to say something." -- Plato >Without looking, can it be configured to blacklist that IP for a given amount of time? My FTP server has that ability. Thanks, Steve Totaro http://www.asteriskhelpdesk.com KB3OPB
Steve Totaro wrote:>> -----Original Message----- >> From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users- >> bounces@lists.digium.com] On Behalf Of J. Oquendo >> Sent: Thursday, April 26, 2007 6:47 AM >> To: Asterisk Users Mailing List - Non-Commercial Discussion >> Subject: [asterisk-users] Asterisk brute force watcher (was FYI) >> >> Steve Totaro wrote: >> >>> I suspect that this will happen more and more. I also suspect that >>> > many > >>> people who have weak SIP credentials like user=100 secret=100 will >>> > be > >>> the victim of toll fraud and worse, call to 900 and other very high >>> termination rates. How does $25 per minute sound? >>> >>> Thanks, >>> Steve Totaro >>> http://www.asteriskhelpdesk.com >>> KB3OPB >>> >> Ashtray is an Asterisk brute force watcher. Checks logs from cron and >> emails admin of potential brute forcers >> http://www.infiltrated.net/scripts/ashtray >> >> Can have it set in .bash_profile so whenever you log on, you'd see >> anomalies. >> >> -- >> ===================================================>> J. Oquendo >> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 >> echo infiltrated.net|sed 's/^/sil@/g' >> >> "Wise men talk because they have something to say; >> fools, because they have to say something." -- Plato >> >> > > Without looking, can it be configured to blacklist that IP for a given > amount of time? My FTP server has that ability. > > Thanks, > Steve Totaro > http://www.asteriskhelpdesk.com > KB3OPB > > _______________________________________________ > --Bandwidth and Colocation provided by Easynews.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >Depends... I myself have an extremely modified IPS like script I chopped up for myself. If I posted it, it would look like a horrendous shell+ruby+perl +awk+sed nightmare with no comments that most programmers would likely roll their eyes at in disgust. Depending on how you run your Asterisk machine (DB or no DB) it should be doable with iptables (--flush), ipf, ipfw, etc. I have one of my servers set to do a few things with my script... 1) If a user attempts to register and fails more than 5 times ... Email me the username and IP address. It doesn't get blocked yet. This way no legitimate remote user complains... 2) If a user attempts to register and fails, check the IP address and see if they're trying to register using multiple names, if they are, then automatically block them via iptables... I started to tinker with an entire IDS/IPS devoted to Asterisk (www.infiltrated.net/scripts/divinityPoC) but haven't had time to finish it. Besides, (and I'm sorry to say this)... Asterisk's logging mechanisms/errors infuriate me. Sometimes their errors make no sense - wth is a doohicky error you guys? So I left it alone. I've butchered it for managed PBX's with under 50 users, but for thousands of users, its no good. Right now one of my machines has: 341 sip peers [308 online , 33 offline] / 45 active channels : 24 active calls ... I don't even count how many trunks and attached * machines I have on that server. And this is only one of about maybe 15-20 I deal with on a daily basis... What I had envisioned for divinity was based off of my Asteroid program (www.infiltrated.net/asteroid/)... Catch any anomalous SIP messages and nip it in the bud. The heuristics behind it though would be a full time job in itself so I left it alone. I may or may not continue it, but right now I have little incentive to. 1) Too much studying going on for me... 2) Work keeps me tied up... 3) Family life... Besides I've configured my machines to where I'm comfortable with them which was my main goal. Last thing I want to do is release something half done to hear the criticism "You're program is half baked!" blah blah... -- ===================================================J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' "Wise men talk because they have something to say; fools, because they have to say something." -- Plato -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5157 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20070426/f372dfdb/smime-0001.bin