asterisk users - Jun 2008 - sip extension compromised, need help blocking brute force attempts

Hello, yesterday one of the extensions on my asterisk server got
compromised by brute-force attack. The attacker used it to try pull an
identity theft scam playing a recording from a bank "your account has
been blocked due to unusual activity, please call this number..."

Attacker managed to make lots of calls for around 8 hours before I
detected it and changed the password for that extension. As of this
morning it is still attempting to brute force the password for that
extension again. I need a way to block that IP from connecting to my
asterisk server, please advice.

--- sip debug ---
Using INVITE request as basis request -
49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
Sending to 74.52.112.162 : 5060 (NAT)
Found user '211'
Reliably Transmitting (NAT) to 74.52.112.162:5060:
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
74.52.112.162:5060;branch=z9hG4bK3b28fa36;received=74.52.112.162;rport=5060
From: "ASLPLS" <sip:211 at 69.13.xx.xxx>;tag=as130a4d39
To: <sip:19037292454 at 69.13.xx.xxx>;tag=as0c69057b
Call-ID: 49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
CSeq: 103 INVITE
User-Agent: Asterisk PBX
llow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Contact: <sip:19037292454 at 69.13.xx.xxx>
Content-Length: 0
--- sip debug ---

That box is currently running Trixbox 1.2.3. I have iptables disabled.
If anybody can give me a simple ruleset that allows all traffic except
ip 74.52.112.162 to port 5060 I will really appreciate it.

Are there mechanisms in Asterisk to detect and automatically block
these brute force attempts?

On Mon, 2008-06-30 at 11:15 -0500, spectro wrote:
> I need a way to block that IP from connecting to my
> asterisk server, please advice.
netfilter.  aka iptables.

b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.digium.com/pipermail/asterisk-users/attachments/20080630/8f0cd010/attachment.pgp

Do a reverse lookup on your attacker.
Then find their ISP.
Then file an abuse complaint.

On Mon, Jun 30, 2008 at 12:15 PM, spectro <spectro at gmail.com>
wrote:
> Hello, yesterday one of the extensions on my asterisk server got
> compromised by brute-force attack. The attacker used it to try pull an
> identity theft scam playing a recording from a bank "your account has
> been blocked due to unusual activity, please call this number..."
>
> Attacker managed to make lots of calls for around 8 hours before I
> detected it and changed the password for that extension. As of this
> morning it is still attempting to brute force the password for that
> extension again. I need a way to block that IP from connecting to my
> asterisk server, please advice.
>
> --- sip debug ---
> Using INVITE request as basis request -
> 49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
> Sending to 74.52.112.162 : 5060 (NAT)
> Found user '211'
> Reliably Transmitting (NAT) to 74.52.112.162:5060:
> SIP/2.0 403 Forbidden
> Via: SIP/2.0/UDP
> 74.52.112.162:5060;branch=z9hG4bK3b28fa36;received=74.52.112.162;rport=5060
> From: "ASLPLS" <sip:211 at 69.13.xx.xxx>;tag=as130a4d39
> To: <sip:19037292454 at 69.13.xx.xxx>;tag=as0c69057b
> Call-ID: 49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
> CSeq: 103 INVITE
> User-Agent: Asterisk PBX
> llow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
> Contact: <sip:19037292454 at 69.13.xx.xxx>
> Content-Length: 0
> --- sip debug ---
>
> That box is currently running Trixbox 1.2.3. I have iptables disabled.
> If anybody can give me a simple ruleset that allows all traffic except
> ip 74.52.112.162 to port 5060 I will really appreciate it.
>
> Are there mechanisms in Asterisk to detect and automatically block
> these brute force attempts?
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

On Mon, Jun 30, 2008 at 1:31 PM, David Backeberg <dbackeberg at gmail.com>
wrote:
> Do a reverse lookup on your attacker.
> Then find their ISP.
> Then file an abuse complaint.

already done, also filed a report with FBI cybercrime unit and setup
iptables to block incoming traffic from that IP.

My question is if there is anything in asterisk to detect these
bruteforce attacks and take measure like we can do with ssh brute
force attacks.

iptables -A INPUT -p tcp -s 74.52.112.162 -j DROP
Good luck.

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of spectro
Sent: June 30, 2008 12:15 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] sip extension compromised, need help blocking
brute force attempts

Hello, yesterday one of the extensions on my asterisk server got
compromised by brute-force attack. The attacker used it to try pull an
identity theft scam playing a recording from a bank "your account has
been blocked due to unusual activity, please call this number..."

Attacker managed to make lots of calls for around 8 hours before I
detected it and changed the password for that extension. As of this
morning it is still attempting to brute force the password for that
extension again. I need a way to block that IP from connecting to my
asterisk server, please advice.

--- sip debug ---
Using INVITE request as basis request -
49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
Sending to 74.52.112.162 : 5060 (NAT)
Found user '211'
Reliably Transmitting (NAT) to 74.52.112.162:5060:
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP
74.52.112.162:5060;branch=z9hG4bK3b28fa36;received=74.52.112.162;rport=5060
From: "ASLPLS" <sip:211 at 69.13.xx.xxx>;tag=as130a4d39
To: <sip:19037292454 at 69.13.xx.xxx>;tag=as0c69057b
Call-ID: 49f272293cd248d6174ceddf3eef1575 at 69.13.xx.xxx
CSeq: 103 INVITE
User-Agent: Asterisk PBX
llow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Contact: <sip:19037292454 at 69.13.xx.xxx>
Content-Length: 0
--- sip debug ---

That box is currently running Trixbox 1.2.3. I have iptables disabled.
If anybody can give me a simple ruleset that allows all traffic except
ip 74.52.112.162 to port 5060 I will really appreciate it.

Are there mechanisms in Asterisk to detect and automatically block
these brute force attempts?

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

AstriCon 2008 - September 22 - 25 Phoenix, Arizona
Register Now: http://www.astricon.net

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

better drop udp also.

Mark Hamilton wrote:
> iptables -A INPUT -p tcp -s 74.52.112.162 -j DROP
> Good luck.
>
> Via: SIP/2.0/UDP
>