Hi We've just noticed attempts (close to 200000 attempts, sequential peer numbers) at guessing peers on 2 of out servers and thought I'd share the originating IPs with the list in case anyone wants to firewall them as we have done 109.170.106.59 112.142.55.18 124.157.161.67 Ish -- Ishfaq Malik Software Developer PackNet Ltd Office: 0161 660 3062 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100701/c468bdd6/attachment.htm
On Thu, Jul 1, 2010 at 9:16 AM, Ishfaq Malik <ish at pack-net.co.uk> wrote:> Hi > > We've just noticed attempts (close to 200000 attempts, sequential peer > numbers) at guessing peers on 2 of out servers and thought I'd share the > originating IPs with the list in case anyone wants to firewall them as we > have done > > 109.170.106.59 > 112.142.55.18 > 124.157.161.67 > > Ish > -- > Ishfaq Malik > Software Developer > PackNet Ltd > > Office: 0161 660 3062 > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >We have noticed the same sort of activity on our server. The originating IP addresses attempting access were: 204.9.204.145 (hosted at U.S. Colo, I believe) 91.203.132.149 (Nephax) 130.70.157.186 (University of Louisiana) 61.160.121.46 (Chinanet) 109.170.0.10 (ReasonUP Ltd) -- John Timms IT Department - Gnoso Inc. john at gnoso.com -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100701/f0bdeed5/attachment.htm
On Friday 02 Jul 2010, Tim Nelson wrote:> ----- "A J Stiles" <asterisk_list at earthshod.co.uk> wrote: > > On Friday 02 Jul 2010, Ira wrote: > > > At 11:14 PM 7/1/2010, you wrote: > > > >Same activity from these IPs: > > > >174.129.137.135 > > > > > > Given that my Asterisk box is used for nothing but Asterisk and I > > > know the small number of IPs that need to have access is there an > > > easy way to use iptables to block everything but those 6 IPs and > > > provider addresses? > > > > Yes, dead easy! Just configure iptables to accept IAX traffic (TCP > > and UDP > > port 4569) only from trusted IP addresses, and drop it from anywhere > > else. > > [ stuff omitted ] > > IAX is UDP only, not TCP. Also, what if he's using SIP (UDP/5060) for > connectivity to the outside world? He'll need rules for this, in addition > to RTP media (typically UDP/10000-20000)...OK, so you might not need the lines with -p tcp in them; I was just being efficient (i.e., cribbing from an old config file that has worked for me since forever). All the setups on which I've worked have used SIP on the inside, and IAX on the outside. That way, you don't need so many ports open -- and you avoid the 'mare that is funnelling telephony through NAT. (See also FTP and fax.) If you need other ports open, the same general principles apply. Read the iptables man page, look at other people's firewall scripts; and most importantly of all, make sure you have a keyboard and monitor plugged into the machine; because one day, you *will* accidentally block port 22 from 0.0.0.0/0. -- AJS