My main asterisk server is under unusual heavy attack, and so far Fail2Ban has blocked about 30 IPs, from various different countries. At this time it is blocking about 1 IP address every few minutes. Just wondering if anybody else is also experiencing unusually increased hack attempts today? Zeeshan A Zakaria -- www.ilovetovoip.com www.pbxforall.com (beta) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101030/7af3ae2e/attachment.htm
Me too. From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Zeeshan Zakaria Sent: Saturday, October 30, 2010 11:29 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Under heavy attack My main asterisk server is under unusual heavy attack, and so far Fail2Ban has blocked about 30 IPs, from various different countries. At this time it is blocking about 1 IP address every few minutes. Just wondering if anybody else is also experiencing unusually increased hack attempts today? Zeeshan A Zakaria -- www.ilovetovoip.com<http://www.ilovetovoip.com> www.pbxforall.com<http://www.pbxforall.com> (beta) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101030/779aaca3/attachment.htm
I'm experiencing this on one of my clients servers. The attack is ongoing. Thanks, --Warren Selby On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria <zishanov at gmail.com> wrote:> My main asterisk server is under unusual heavy attack, and so far Fail2Ban has blocked about 30 IPs, from various different countries. At this time it is blocking about 1 IP address every few minutes. > > Just wondering if anybody else is also experiencing unusually increased hack attempts today? > > Zeeshan A Zakaria > > -- > www.ilovetovoip.com > www.pbxforall.com (beta) > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101030/a3748088/attachment.htm
On Sat, 2010-10-30 at 14:28 -0400, Zeeshan Zakaria wrote:> My main asterisk server is under unusual heavy attack, and so far > Fail2Ban has blocked about 30 IPs, from various different countries. > At this time it is blocking about 1 IP address every few minutes. > > Just wondering if anybody else is also experiencing unusually > increased hack attempts today? >Just 30 ? I got 1593 different IP's on my personal blacklist who constantly are looking if i may lower my guards. Though 82.101.63.5 and 132.68.58.60 are rather busy tonight... hw
They have agreements for termination to locations with high rates. These types of attacks happen on servers that fit a digital signature. With certain ports or certain versions of software on those ports. Yes the Art of War is required reading for todays systems administration professionals... Change your signature, change your ports.> What are they after, anyway? Merely cheap international calls? > > -- > ? ? ? ? ? ? ? Tzafrir Cohen
On 30 October 2010 19:28, Zeeshan Zakaria <zishanov at gmail.com> wrote:> My main asterisk server is under unusual heavy attack, and so far Fail2Ban > has blocked about 30 IPs, from various different countries. At this time it > is blocking about 1 IP address every few minutes. > > Just wondering if anybody else is also experiencing unusually increased > hack attempts today? > > Zeeshan A Zakaria > > -- > www.ilovetovoip.com > www.pbxforall.com (beta) >Good Morning. Certainly some kind of very slow DDOS attack. I'm blocking at IPTABLES level. Strange thing is even after I DROP the REGISTER attempts they keep on trying which is unusual. We have a number of Asterisk & Kamailio boxes on the same subnet and it's only targeting 1 Asterisk box. IP's so far if anyone wants to block them before they start on your SIP device: 2010-10-30 18:20:19,023 213.6.233.51 2010-10-30 18:29:41,251 124.122.224.110 2010-10-30 18:29:53,296 41.178.183.80 2010-10-30 18:30:06,047 118.71.80.236 2010-10-30 18:35:05,356 93.181.206.84 2010-10-30 18:35:17,588 207.226.53.120 2010-10-30 18:35:19,995 151.15.169.144 2010-10-30 19:09:35,223 41.133.218.95 2010-10-30 19:10:37,108 125.165.185.126 2010-10-30 19:10:54,011 196.221.74.86 2010-10-30 19:11:06,779 58.8.51.183 2010-10-30 19:11:09,739 111.125.76.79 2010-10-30 19:12:29,671 189.224.23.133 2010-10-30 19:15:28,303 62.87.81.138 2010-10-30 19:17:44,548 118.96.68.202 2010-10-30 19:19:39,432 178.137.18.176 2010-10-30 19:20:59,923 109.197.85.84 2010-10-30 19:22:41,063 91.187.103.33 2010-10-30 19:24:57,283 79.191.64.68 2010-10-30 19:29:39,523 189.19.36.241 2010-10-30 19:33:19,096 85.97.235.244 2010-10-30 19:40:51,324 145.236.187.148 2010-10-30 19:43:02,567 196.217.233.120 2010-10-30 19:47:46,323 145.236.184.134 2010-10-30 19:54:07,564 186.89.189.218 2010-10-30 19:54:51,155 178.154.93.136 2010-10-30 20:01:32,615 187.126.9.46 2010-10-30 20:01:53,215 92.253.28.116 2010-10-30 20:02:31,448 41.218.245.63 2010-10-30 20:05:24,203 85.104.3.147 2010-10-30 20:06:40,431 93.116.63.10 2010-10-30 20:09:00,668 151.15.165.59 2010-10-30 20:09:13,907 95.132.177.3 2010-10-30 20:09:52,135 187.17.185.1 2010-10-30 20:11:46,719 88.230.199.132 2010-10-30 20:22:10,947 86.34.8.194 2010-10-30 20:23:10,176 109.96.12.119 2010-10-30 20:23:18,336 201.240.127.189 2010-10-30 20:25:56,932 92.84.117.146 2010-10-30 20:26:26,155 88.227.121.14 2010-10-30 20:37:26,400 189.7.19.95 2010-10-30 20:37:33,024 41.236.166.150 2010-10-30 20:39:26,968 118.96.218.199 2010-10-30 20:44:27,968 41.232.67.66 2010-10-30 20:48:48,715 41.189.55.21 2010-10-30 20:52:12,431 189.15.98.140 2010-10-30 20:54:51,031 189.70.167.100 2010-10-30 20:55:42,639 189.15.99.161 2010-10-30 20:56:19,243 41.189.53.202 2010-10-30 20:58:24,979 41.189.54.61 2010-10-30 20:58:49,720 79.112.136.182 2010-10-30 20:59:40,959 41.189.55.3 2010-10-30 21:06:31,700 180.214.232.20 2010-10-30 21:10:27,811 189.23.61.5 2010-10-30 21:15:42,452 118.96.106.229 2010-10-30 21:34:23,343 93.146.195.166 2010-10-30 21:42:25,575 190.172.152.53 2010-10-30 21:43:10,184 94.141.68.62 2010-10-30 23:03:41,419 78.176.225.22 2010-10-30 23:46:20,651 76.116.250.237 2010-10-30 23:49:53,023 188.52.97.82 2010-10-30 23:52:02,279 78.167.12.19 2010-10-31 00:02:12,511 200.220.209.204 2010-10-31 00:11:01,491 41.205.112.90 2010-10-31 00:13:20,399 187.74.15.7 2010-10-31 00:13:36,963 201.42.156.126 2010-10-31 00:16:00,563 41.238.170.22 2010-10-31 00:26:21,299 62.248.47.86 2010-10-31 00:34:34,524 93.116.228.188 2010-10-31 00:41:35,760 110.32.149.227 2010-10-31 00:46:44,755 81.6.90.142 2010-10-31 00:50:50,995 78.162.174.78 2010-10-31 00:58:23,220 123.23.243.19 2010-10-31 00:59:01,476 119.42.83.249 2010-10-31 01:04:01,403 112.201.240.119 2010-10-31 01:15:13,300 190.233.197.248 2010-10-31 01:18:14,979 189.110.116.97 2010-10-31 01:19:07,572 113.162.96.205 2010-10-31 01:23:30,527 178.210.133.205 2010-10-31 01:32:22,339 151.15.175.8 2010-10-31 01:51:35,576 178.53.139.232 2010-10-31 02:00:01,131 85.104.94.215 2010-10-31 02:00:02,403 123.27.9.4 2010-10-31 02:00:03,281 118.137.89.66 2010-10-31 02:00:04,184 113.170.140.8 2010-10-31 02:07:17,011 125.185.5.19 2010-10-31 02:15:02,887 123.17.204.125 2010-10-31 02:22:27,803 81.192.211.208 2010-10-31 02:25:47,031 118.96.176.53 2010-10-31 02:35:08,059 113.169.105.142 2010-10-31 02:47:15,984 222.253.242.237 2010-10-31 02:52:05,876 99.229.149.67 2010-10-31 06:25:08,147 187.74.15.7 2010-10-31 06:25:08,764 112.201.240.119 2010-10-31 06:25:09,781 93.116.228.188 2010-10-31 06:25:10,084 188.52.97.82 2010-10-31 06:25:14,303 118.137.89.66 2010-10-31 06:25:27,251 201.42.156.126 2010-10-31 06:36:19,591 188.53.35.208 2010-10-31 07:40:12,855 121.246.144.94 2010-10-31 07:41:29,783 222.124.3.13 2010-10-31 07:41:42,671 77.81.49.178 2010-10-31 07:42:41,911 119.92.232.162 2010-10-31 07:42:52,792 110.168.115.109 2010-10-31 07:44:10,831 222.253.241.210 2010-10-31 07:45:46,755 94.240.149.110 2010-10-31 07:50:09,999 178.155.54.47 2010-10-31 07:51:36,471 88.226.33.30 2010-10-31 07:52:08,684 113.172.230.103 2010-10-31 07:55:10,723 118.96.242.225 2010-10-31 07:55:33,595 109.120.46.78 2010-10-31 07:55:45,735 113.167.33.220 2010-10-31 07:57:32,575 60.220.253.149 2010-10-31 07:57:48,483 113.166.1.235 2010-10-31 07:59:16,335 113.59.222.50 2010-10-31 07:59:54,187 41.215.64.66 2010-10-31 08:04:48,071 85.106.225.138 2010-10-31 08:04:54,300 88.227.52.50 2010-10-31 08:05:56,551 193.106.220.17 2010-10-31 08:29:51,783 202.133.58.122 2010-10-31 08:33:05,652 188.38.10.102 2010-10-31 08:33:22,880 78.185.153.80 2010-10-31 08:34:08,119 41.210.27.205 2010-10-31 08:34:21,063 89.122.0.141 2010-10-31 08:36:01,300 94.255.118.14 2010-10-31 08:38:46,528 81.213.179.105 Regards Brian> > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101031/5fda2b0f/attachment.htm
On Oct 30, 2010, at 2:28 PM, Zeeshan Zakaria wrote:> My main asterisk server is under unusual heavy attack, and so far > Fail2Ban has blocked about 30 IPs, from various different countries. > At this time it is blocking about 1 IP address every few minutes. > > Just wondering if anybody else is also experiencing unusually > increased hack attempts today? > > Zeeshan A Zakaria >It's been an extremely busy day for the exploiters. I moved my phone system from one circuit that I have (10Mb) to another that is behind a firewall (100Mb) and the fail2ban alerts are all gone. I'm not really concerned that someone will determine the passwords, as I use the phones serial numbers to determine that. But still, very irritating to see so many attempts at exploiting my phone system. fail2ban is nice, but I recommend you put your system behind a firewall and only allow necessary connections. pfsense is doing the trick for me. - Niles
Unsuccessful attempts are recorded, however SIP-s is not easily doable on asteridk 1.4. I tried once without any success. Maybe somebody who has successfully implemented it can write a little how-to on it. Zeeshan A Zakaria -- www.ilovetovoip.com www.pbxforall.com (beta) On 2010-11-01 4:48 AM, "Hans Witvliet" <hwit at a-domani.nl> wrote: On Sun, 2010-10-31 at 11:39 -0600, Joel Maslak wrote:> To guess an 8 character (which is short) pas...Perhaps this is good enough reason for starting to use SIP-s (using TLS) with large >= 2K) keys. Should be safe enough, i think. Snom seems to be capable of handling it, so can asterisk 1.6.x Any unsuccesfull register attempt should add the offending address to your own blacklist (for iptables) hw -- _____________________________________________________________________ -- Bandwidth and Colocation Pr... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101101/78149a6f/attachment.htm
I just wanted to add my voice to this "attack". I saw the morning that I had 200+ distinct ips since the weekend. I used a small perl script that blocks failed usernames and passwords at iptables level I found thei morning : http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/ Regards, My main asterisk server is under unusual heavy attack, and so far Fail2Ban has blocked about 30 IPs, from various different countries. At this time it is blocking about 1 IP address every few minutes. Just wondering if anybody else is also experiencing unusually increased hack attempts today? Zeeshan A Zakaria -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101101/158659e1/attachment.htm