Hello, recently I have seen spike in attacks on my asterisk server, this is what I get on the LCD of my phone: 201 at 76.220.5.205 or calls from 1000 sip1000 at 76.2230.5.205, have any idea on how to stop this calls? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140512/c43505bf/attachment.html>
I would simply drop all traffic from the IP at the firewall. William Hetherington w - www.willwh.com t - @wmwh On Mon, May 12, 2014 at 2:43 PM, motty cruz <motty.cruz at gmail.com> wrote:> Hello, > recently I have seen spike in attacks on my asterisk server, this is what > I get on the LCD of my phone: 201 at 76.220.5.205 > > or calls from 1000 sip1000 at 76.2230.5.205, > > have any idea on how to stop this calls? > > Thanks, > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140512/ea0b7804/attachment.html>
If the attacks are direct (rather than through Asterisk) and you have a Polycom phone, check around page 522 of the firmware 4.0 admin guide. If the attacks are directed at your Asterisk then you should use fail2ban to dynamically block attackers. If the attacks are coming to your phone via Asterisk then you have a security issue in your Asterisk config. -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of motty cruz Sent: Monday, May 12, 2014 5:43 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Asterisk 1.8.22 Hello, recently I have seen spike in attacks on my asterisk server, this is what I get on the LCD of my phone: 201 at 76.220.5.205 or calls from 1000 sip1000 at 76.2230.5.205, have any idea on how to stop this calls? Thanks,
Another alternative is SecAst (Asterisk intrusion detection system). Grab the free version from www.generationd.com<http://www.generationd.com/>? It does everything fail2ban does, plus you have the option of blocking IP's based on geograhic origin, detecting suspicious call patterns, etc. -=M=- All opinions posted are my own. But as an employee of GenerationD System my views are undoubtedly biased :) ________________________________ From: asterisk-users-bounces at lists.digium.com <asterisk-users-bounces at lists.digium.com> on behalf of motty cruz <motty.cruz at gmail.com> Sent: Monday, May 12, 2014 5:43 PM To: Asterisk Users List Subject: [asterisk-users] Asterisk 1.8.22 Hello, recently I have seen spike in attacks on my asterisk server, this is what I get on the LCD of my phone: 201 at 76.220.5.205<mailto:201 at 76.220.5.205> or calls from 1000 sip1000 at 76.2230.5.205<mailto:1000 at 76.2230.5.205>, have any idea on how to stop this calls? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140513/7f4e543c/attachment.html>
It's very likely someone scanning your asterisk for extensions to use for dialing out through your asterisk. Secure your asterisk and maybe create extensions that aren't practically possible to find through scanning. Save logs from your asterisk of whenever an extension is called (if that is an option) and you will probably see them scanning from 1-1000 or more. This is very common unfortunately, because too many asterisks are waiting to be hacked by automated scripts.. /Mikael On 12 May 2014 23:43, motty cruz <motty.cruz at gmail.com> wrote:> Hello, > recently I have seen spike in attacks on my asterisk server, this is what > I get on the LCD of my phone: 201 at 76.220.5.205 > > or calls from 1000 sip1000 at 76.2230.5.205, > > have any idea on how to stop this calls? > > Thanks, > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140515/6952363b/attachment.html>