Brynjolfur Thorvardsson
2014-Feb-20 11:27 UTC
[asterisk-users] Hacking attempt, Asterisk 1.4
Hi all We have an Asterisk server that?s been running for a few years now without problems. We have IPTables running, as well as fail2ban and have followed all the security recommendations we have found. Every few weeks we get an attack that lasts about a minute or two, resulting in our AGI script being overloaded. What happens is that somebody seems to be trying to connect from our server ? in my cdrs log I can see that they use a four digit number for source, destination and caller id, e.g. clid: 7321 src: 7321 dst: 7321 channel: SIP/xx.xx.xx.xx-aaaaaaaa xx.xx.xx.xx is our server IP. When one of our registered users makes a call the channel is SIP/yyyyyyyy-aaaaaaaa where yyyyyyyy is the SIP user ID. So it looks like a SIP phone trying to call itself, using our Asterisk server IP as SIP user name. Within a couple of minutes the attacker seems to go through some 10000 attempts, resulting in our AGI script collapsing from the load. My Asterisk full log shows something like: -- Executing [7321 at sip:1] Answer("SIP/xx.xx.xx.xx-b0828f20", "") in new stack -- Executing [7321 at sip:2] AGI("SIP/ xx.xx.xx.xx -b0828f20", "agi:// xx.xx.xx.xx ") in new stack -- Executing [7321 at sip:3] Hangup("SIP/ xx.xx.xx.xx -b6130f70", "") in new stack == Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/ xx.xx.xx.xx -b6130f70' > cdr_odbc: Query Successful! -- AGI Script agi:// xx.xx.xx.xx completed, returning 0 Our AGI script refuses to call ?illegal? numbers, while our Asterisk dialplan is a bit more accommodating, mostly because I have had problems figuring out the order in which to put the various rules (I might have another look at that!) Does anybody know how to stop this from happening ? I can?t find the attackers IP number in my logs, and these attacks happen infrequently, and are over quickly, so that I haven?t had an opportunity to run sip debug during an attack, and I don?t want to have it running all the time. Best regards Binni Brynj?lfur ?orvar?sson IT Consultant Tlf. +45 88321688 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140220/49e50b57/attachment.html>
On Thursday 20 Feb 2014, Brynjolfur Thorvardsson wrote:> Every few weeks we get an attack that lasts about a minute or two, > resulting in our AGI script being overloaded. > > What happens is that somebody seems to be trying to connect from our server > ? in my cdrs log I can see that they use a four digit number for source, > destination and caller id, e.g. > > clid: 7321 > src: 7321 > dst: 7321 > channel: SIP/xx.xx.xx.xx-aaaaaaaaAssuming that it's the AGI script that is the bottleneck, how about simply checking in the dialplan that the ${CALLERID(num)} is different from ${EXTEN} before executing the AGI script? -- AJS Answers come *after* questions.
On 20/02/14 11:27, Brynjolfur Thorvardsson wrote:> > Hi all > > We have an Asterisk server that's been running for a few years now > without problems. We have IPTables running, as well as fail2ban and > have followed all the security recommendations we have found. > > Every few weeks we get an attack that lasts about a minute or two, > resulting in our AGI script being overloaded. > > What happens is that somebody seems to be trying to connect from our > server -- in my cdrs log I can see that they use a four digit number > for source, destination and caller id, e.g. > > clid: 7321 > > src: 7321 > > dst: 7321 > > channel: SIP/xx.xx.xx.xx-aaaaaaaa > > xx.xx.xx.xx is our server IP. When one of our registered users makes a > call the channel is SIP/yyyyyyyy-aaaaaaaa where yyyyyyyy is the SIP > user ID. > > So it looks like a SIP phone trying to call itself, using our Asterisk > server IP as SIP user name. > > Within a couple of minutes the attacker seems to go through some 10000 > attempts, resulting in our AGI script collapsing from the load. My > Asterisk full log shows something like: > > -- Executing [7321 at sip:1] Answer("SIP/xx.xx.xx.xx-b0828f20", "") > in new stack > > -- Executing [7321 at sip:2] AGI("SIP/ xx.xx.xx.xx -b0828f20", > "agi:// xx.xx.xx.xx ") in new stack > > -- Executing [7321 at sip:3] Hangup("SIP/ xx.xx.xx.xx -b6130f70", "") > in new stack > > == Spawn extension (sip, 7321, 3) exited non-zero on 'SIP/ > xx.xx.xx.xx -b6130f70' > > > cdr_odbc: Query Successful! > > -- AGI Script agi:// xx.xx.xx.xx completed, returning 0 > > Our AGI script refuses to call "illegal" numbers, while our Asterisk > dialplan is a bit more accommodating, mostly because I have had > problems figuring out the order in which to put the various rules (I > might have another look at that!) > > Does anybody know how to stop this from happening -- I can't find the > attackers IP number in my logs, and these attacks happen infrequently, > and are over quickly, so that I haven't had an opportunity to run sip > debug during an attack, and I don't want to have it running all the time. > > Best regards > > Binni > > Brynj?lfur ?orvar?sson > > IT Consultant > > Tlf. +45 88321688 > > >I have this in my extensions.conf :- [default] ; all unauthenticated connection attempts from the internet come in here. exten => _[+*#0-9].,1,NoOp(Unauthenticated call attempt - ${SIP_HEADER(Contact)}) exten => _[+*#0-9].,n,Congestion Then in fail2ban I have the extra line added to the failregex so it is now :- failregex = Registration from .* failed for \'<HOST>\' - Wrong password Registration from .* failed for \'<HOST>\' - No matching Unauthenticated call attempt .*\@<HOST>\: That seems to work pretty well for me. Assuming the attacks are unauthenticated why are you accepting them and running an AGI script and not rejecting them earlier? If you need to allow anonymous inbound calls (which is required in some cases) then I would have the AGI detect them and write an output to verbose() with the SIP_HEADER(Contact) or any other header which correctly indicated the origin of the packet. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140220/e2767628/attachment.html>
Reasonably Related Threads
- ODBC problem - static realtime file not loading
- assest pipeline how to exclude some css files?
- Can't complete the Getting Started tutorial due to ExecJS::RuntimeError in Home#index
- How can I get RVM/Passenger/Apache2 to play nicely together
- Six seconds hangup