I have a honey pot box with extensions that are not just numbers ie ) 100-MySipUserName And the passwords are from an openssl generated password ie) Gq5VNIjDFWIQoUT6 However, this one extension keeps getting hacked and showing up on a different IP address. It is also register on an AudioCodes MP-118. I wanted to know if anyone else ran into this and if it's a vulnerability on the MP-118 or with Asterisk. Thanks, -E -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120119/2aea9b78/attachment.htm>
On Thu, Jan 19, 2012 at 8:36 PM, eherr <email.eherr9633 at gmail.com> wrote:> I have a honey pot box with extensions that are not just numbers ie ) > > > > 100-MySipUserName > > >I have the same problem and I use contactpermit with specific ip blocks! I know for a fact I'm getting hijacked by sip vicious on extension 100 but I can't understand how because I don't even have an extension 100 declared anywhere. I would like to know how to block this MF because he makes calls at 1-2 AM -- Alejandro Imass
Alejandro Imass wrote 20.01.2012 18:09:> I would like to know howto block this MF because he makes calls at 1-2 AM I use this construction on my servers [users] exten => _XXX,1,GotoIfTime(1:00-2:00,*,*,*?block,1,1) [block] exten => _X.,1,HangUp(1) -- With Best Regards Mikhail Lischuk -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120121/0e81b1ce/attachment.htm>
Rate limiting (google) via iptables FTW! Good luck! ----- Original message ----->? > > Alejandro Imass wrote 20.01.2012 18:09: > > > I would like to know how > to block this MF because he makes calls at 1-2 AM > > I use this > construction on my servers > > [users] > > exten => > _XXX,1,GotoIfTime(1:00-2:00,*,*,*?block,1,1) > > [block] > exten => > _X.,1,HangUp(1) > > -- > With Best Regards > Mikhail Lischuk > >?-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120121/88d48e04/attachment.htm>
On 20/01/2012 9:36 AM, eherr wrote:> > I have a honey pot box with extensions that are not just numbers ie ) > > 100-MySipUserName > > And the passwords are from an openssl generated password ie) > > Gq5VNIjDFWIQoUT6 > >Is the password stored in sip.conf in plain text or as an MD5? If it is stored in plain text then it may suggest the hijacker has greater access to your system than you realise. My 2-cents worth. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120121/520d7b34/attachment.htm>
Can you please elaborate on rate limiting. Not how to implement it but rather how implementation is beneficiary. Reading up on it, it appears that it just checks the tcp connections and denys connection if limit is passed. In my thoughts, this is essentially a live fail2ban monitor in respects to attempted authentications. Thanks, --E From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Jim DeVito Sent: Saturday, January 21, 2012 12:02 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Sip Registration Hijacking Rate limiting (google) via iptables FTW! Good luck! ----- Original message -----> > > Alejandro Imass wrote 20.01.2012 18:09: > > > I would like to know how > to block this MF because he makes calls at 1-2 AM > > I use this > construction on my servers > > [users] > > exten => > _XXX,1,GotoIfTime(1:00-2:00,*,*,*?block,1,1) > > [block] > exten => > _X.,1,HangUp(1) > > -- > With Best Regards > Mikhail Lischuk > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120125/c98462ee/attachment.htm>
This is actually an interesting concept however I do think I want to restrict dialing during a specific time period. If someone is in the office, I would have to reprogram the route so allow dialing which adds overhead. Again, I do like the concept though. Thanks, --E From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Mikhail Lischuk Sent: Friday, January 20, 2012 7:42 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Sip Registration Hijacking Alejandro Imass wrote 20.01.2012 18:09: I would like to know how to block this MF because he makes calls at 1-2 AM I use this construction on my servers [users] exten => _XXX,1,GotoIfTime(1:00-2:00,*,*,*?block,1,1) [block] exten => _X.,1,HangUp(1) -- With Best Regards Mikhail Lischuk <mailto:mlischuk at itx.com.ua> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120125/d805920a/attachment.htm>
I appreciate your 2-cents worth. However, I do not believe they have access to machine If so, they are clever to create three failures in the logs for my benefit before entering the correct one for hijacking. Additionally, I have a lot of sip extensions to hijack and he keeps going for the same one. I was hoping this was something with the MP-118 and someone experienced the same thing with that device. Either way, I posed two questions which are still unanswered and probably I will never get answered: 1 - is this a vulnerability in the MP-118 2 - what method could they possibly be using to hijack a number-alpha extension which is creative to begin with ie) 203-Joes_Insurance_Service with an openssl generated password of 12 characters. Thanks, --E From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Larry Moore Sent: Saturday, January 21, 2012 1:34 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Sip Registration Hijacking On 20/01/2012 9:36 AM, eherr wrote: I have a honey pot box with extensions that are not just numbers ie ) 100-MySipUserName And the passwords are from an openssl generated password ie) Gq5VNIjDFWIQoUT6 Is the password stored in sip.conf in plain text or as an MD5? If it is stored in plain text then it may suggest the hijacker has greater access to your system than you realise. My 2-cents worth. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120125/e279f10f/attachment.htm>
On 20/01/12 01:36, eherr wrote:> > It is also register on an AudioCodes MP-118.> Thanks, > > -E >Is the Audiocodes gateway accessible online? Have you set a strong password for it's web interface (and cli if it has one)? It is possible someone is breaking into that and getting the SIP password out of it. cheers, Paul.