asterisk users - Mar 2009 - Is there a public blacklist of hackers' IP addresses?

Hi,

In last one week I have seen two servers of our organization successfully
hacked and some other under attack from some other IP addresses. We would
block one IP address on our firewall and after a few hours, they would start
getting hits from some another IP address. When I checked them on whois.net,
they all were from Amsterdam. Surprisingly, I once had similar attack in the
past and it was also from an Amsterdam IP address. And they all blong to one
same organization.

Seems like somebody in Amsterdam is really active in trying to hack asterisk
servers around the world.

I was wondering if somebody maintains a list of these IP addresses which
everybody can block in their firewalls. And is there a place I can publish
these IP addresses?

Thanks

-- 
Zeeshan A Zakaria
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20090323/c91d8b35/attachment.htm

On Tue, Mar 24, 2009 at 2:11 AM, Zeeshan Zakaria <zishanov at gmail.com>
wrote:
> I was wondering if somebody maintains a list of these IP addresses which
> everybody can block in their firewalls. And is there a place I can publish
> these IP addresses?
We were just talking about this and I remembered this organization:

http://mynetwatchman.com/

There may be some ideas here for those of you who were interested in
the recent discussion about ip filtering etc.

/r

On Monday 23 March 2009 20:11:45 Zeeshan Zakaria wrote:
> Hi,
>
> In last one week I have seen two servers of our organization successfully
> hacked and some other under attack from some other IP addresses. We would
> block one IP address on our firewall and after a few hours, they would
> start getting hits from some another IP address. When I checked them on
> whois.net, they all were from Amsterdam. Surprisingly, I once had similar
> attack in the past and it was also from an Amsterdam IP address. And they
> all blong to one same organization.
>
> Seems like somebody in Amsterdam is really active in trying to hack
> asterisk servers around the world.
>
> I was wondering if somebody maintains a list of these IP addresses which
> everybody can block in their firewalls. And is there a place I can publish
> these IP addresses?
There are 4 billion possible IP addresses.  To successfully block all possible
hackers, you must block 4 billion of them.  Seriously.  Even your own computer
is a possible source of hacking to other locations.

-- 
Tilghman

On Mon, 23 Mar 2009, Zeeshan Zakaria wrote:
> Hi,
>
> In last one week I have seen two servers of our organization successfully
> hacked and some other under attack from some other IP addresses. We would
> block one IP address on our firewall and after a few hours, they would
start
> getting hits from some another IP address. When I checked them on
whois.net,
> they all were from Amsterdam. Surprisingly, I once had similar attack in
the
> past and it was also from an Amsterdam IP address. And they all blong to
one
> same organization.
>
> Seems like somebody in Amsterdam is really active in trying to hack
asterisk
> servers around the world.
Are you willing to share details of the hack? Eg. Did they gain root 
access to the server? Did they exploit a bug in the web server to run 
code? Did they guess SIP username/password combinarions? Or something 
else?

Gordon

If life were only that simple.  A lot of hacking passes through unsuspecting
intermediary computers, precisely to hide their tracks, not to mention IP
spoofing.  People have offered for sale access to 10,000 computers to use for
propagating mischief.  That's a lot of IPs to block!

I got hacked about six months ago.  They came in through SSH and figured out
roots password, which was a concatenation of two English words.  I presume they
did a dictionary search.  Then they changed the password, replaced some key
files and launched a denial of service attack against somebody (including
compiling the program on my machine)!

I traced the IP address to a Comcast customer in Indiana or something and
notified Comcast, but haven't heard anything.  Probably their customer never
even knew it happened--it was probably a hijacked situation.

Prior to that I had been logging hundreds of robotic attacks a day that were
unsuccessful!

I re-installed everything and changed my SSH to a non-standard port and used a
more robust password.  I haven't had a single hack attempt the four months
since.  For my purposes, I don't really need SSH on a standard port.  That
made all the difference in the world.

Two areas that have had large hacker presences in the past:  Russia and China. 
A lot of E-Mail spam originates in those two areas, also.  I've considered
blocking the entire host domain for any provider generating spam from those
regions, as I have no legitimate business need to correspond with people in
those regions in general.  However, I suspect it might block messages from a few
users on this list, and I know it would block at least one user from another
list I am on.

Wilton
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20090324/492872f0/attachment.htm

On Mon, Mar 23, 2009 at 9:11 PM, Zeeshan Zakaria <zishanov at gmail.com>
wrote:
> I was wondering if somebody maintains a list of these IP addresses which
> everybody can block in their firewalls. And is there a place I can publish
> these IP addresses?
Are you familiar with denyhosts or blockhosts? Denyhosts is mostly
used with ssh, but I think the same concept could be used with
asterisk.

-- 
Heath Roberts
htroberts at gmail.com

I highly recommend http://www.dshield.org. A large community submits 
their logs to dshield on a regular basis (most do it hourly). dshield 
then makes aggregate information available, including worst offenders, 
etc. You can also query for the number of reported attacks originating 
from a given IP address.

http://www.threatstop.com/ is a commercial service that aggregates 
threat info from dshield and other services to produce a list of IP 
subnets to block. I used them during their beta period, but when they 
launched, the pricing was a bit high for a 'home' user.

Also useful: the geoip netfilter module in xtables-addons 
(http://xtables-addons.sourceforge.net/) for linux distributions. This 
allows you to write firewall rules that depend on the country of the 
originating IP address. Great way to cut out a lot of SSH attempts from 
countries you don't reside in (like a lot of cruft I get from China, 
Russia and the Netherlands).

fail2ban is a good tool for monitoring logged security violations and 
banning IPs based on repeat offenders. If I remember correctly it's a 
little more broad in the logs it reacts to than sshdfilter is (mentioned 
in another post). Either one is much better than nothing :)  Using geoip 
in your netfilter rules will drastically reduce the number of attacks, 
so they make a good combo.

A more advanced technique is to set up a 'firewall' virtual machine on 
your machine that handles your public IP address(es). Use a stripped 
down 'firewall' distribution with only the binaries it needs to be a 
firewall (no dev tools, perl, python, etc.). Run a few proxies for the 
few services that mush be exposed (e.g. SMTP), and filter those heavily 
too (e.g. by using geoip mentioned above). Even if that virtual machine 
is compromised, there's no interesting info available and little to 
damage (plus it's easy to restore from a backup image kept on the host). 
I've just started setting up something like this using KVM (kernel 
virtual machine), running an instance of OpenWRT.

Paul

Zeeshan Zakaria wrote:
> Hi,
>
> In last one week I have seen two servers of our organization 
> successfully hacked and some other under attack from some other IP 
> addresses. We would block one IP address on our firewall and after a 
> few hours, they would start getting hits from some another IP address. 
> When I checked them on whois.net <http://whois.net>, they all were 
> from Amsterdam. Surprisingly, I once had similar attack in the past 
> and it was also from an Amsterdam IP address. And they all blong to 
> one same organization.
>
> Seems like somebody in Amsterdam is really active in trying to hack 
> asterisk servers around the world.
>
> I was wondering if somebody maintains a list of these IP addresses 
> which everybody can block in their firewalls. And is there a place I 
> can publish these IP addresses?
>
> Thanks
>
> -- 
> Zeeshan A Zakaria
> ------------------------------------------------------------------------
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users