Forgive my ignorance on this as I am still fairly new to Asterisk. I have noticed lately that there have been several attempts to hack our Asterisk server. I see multiple attempts to log in with a particular extension from the same IP address, perhaps hundreds of times per second. It causes the overhead to spike to ~100%. It is more of a pain in the ass than anything. So far what I have been doing is adding a drop of this particular IP address to my iptables configuration. This makes that particular one stop and overhead drops back to normal. What I would like to know is: 1. has anyone else seen this? 2. what is the best way of prevention? We are awaiting our Cisco firewall, but I can implement a software solution in the meantime (Shorewall). So, I am wondering if anyone has a firewall/IP tables statement that keep out unauthorised users? No one seems to get in as we use really strong passwords. However, the attempts cause our Asterisk server to grind almost to a halt. I cannot even connect with a SIP phone when this happens. Any words of wisdom for me? Thanks! Glen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101128/426c9711/attachment.htm
On Sun, 28 Nov 2010, Silver Thorne wrote:> I have noticed lately that there have been several attempts to hack our > Asterisk server. > > So, I am wondering if anyone has a firewall/IP tables statement that > keep out unauthorised users?0) Read the list archives, this comes up weekly. 1) Determine who (in terms of external IP addresses) should be allowed to connect to your server. 2) Create a list of iptables commands to allow those IP addresses. 3) Deny everybody else. 4) Use 'fail2ban' or something similar to detect abusive addresses and block them, if only for an [hour|day|week] or so. Even if you have 'mobile' users who 'need to connect from everywhere' you can probably define 'everywhere' a bit better like 'not from North Korea' or 'not from Africa' -- with suitable apologies to readers from North Korea or Africa. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000
If you do a search on the list postings for the past yea,r and even in the past 2 weeks, you will find much discussion on this topic. Fail2Ban seems fairly effective Complex user names and passwords really help ( assuming your hack attempts are with SIP ) sipvicious is most likely the hackers tool of choice A couple of entries in your Sip general section will also help A default context that leads nowhere is advisable The attempt could only be the first of many to come, from different IP addresses Google is your friend John Novack Silver Thorne wrote:> Forgive my ignorance on this as I am still fairly new to Asterisk. > > I have noticed lately that there have been several attempts to hack > our Asterisk server. I see multiple attempts to log in with a > particular extension from the same IP address, perhaps hundreds of > times per second. It causes the overhead to spike to ~100%. It is more > of a pain in the ass than anything. > So far what I have been doing is adding a drop of this particular IP > address to my iptables configuration. This makes that particular one > stop and overhead drops back to normal. > What I would like to know is: > > 1. has anyone else seen this? > 2. what is the best way of prevention? > > We are awaiting our Cisco firewall, but I can implement a software > solution in the meantime (Shorewall). > > So, I am wondering if anyone has a firewall/IP tables statement that > keep out unauthorised users? No one seems to get in as we use really > strong passwords. However, the attempts cause our Asterisk server to > grind almost to a halt. I cannot even connect with a SIP phone when > this happens. > > Any words of wisdom for me? > > Thanks! > > Glen > >-- Dog is my Co-pilot -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101128/068f3c33/attachment.htm
On 11/28/2010 12:03 PM, Silver Thorne wrote:> So, I am wondering if anyone has a firewall/IP tables statement that > keep out unauthorised users? No one seems to get in as we use reallyhttp://jeremy.kister.net/code/iptables/ if you already have an iptables configuration, the "throttle" section is important. if not, the iptables.init script can likely drop in place. if you only need north-american ip addresses to talk to your asterisk box, i suggest you also run the make-non-na.pl from cron every week. -- Jeremy Kister http://jeremy.kister.net./
On Sun, 28 Nov 2010, Jeremy Kister wrote:> On 11/28/2010 12:03 PM, Silver Thorne wrote: >> So, I am wondering if anyone has a firewall/IP tables statement that >> keep out unauthorised users? No one seems to get in as we use really > > http://jeremy.kister.net/code/iptables/ > > if you already have an iptables configuration, the "throttle" section is > important. if not, the iptables.init script can likely drop in place. > > if you only need north-american ip addresses to talk to your asterisk > box, i suggest you also run the make-non-na.pl from cron every week. > >+1 Jeremy - these scripts, for NA PBXes, are perfect (and even without the heavy handed blocking of the rest of the world, the iptables stuff is invaluable). If I am digesting it correctly, this set of iptables rules does exactly what fail2ban would do, minus the logging, and without the overhead of a scripting language, correct? Love it! j