Kevin Larsen <kevin.larsen at pioneerballoon.com> schrieb:> Based on SIP packets coming in from IP addresses you don't recognize, > while you may not be hacked, you would seem to have people probing yourI think, too, it's someone probing my IP...> system. One thing you can do at the firewall level is restrict inbound sip > communications to only those from your external phone providers. Depending > on their setup, they should be able to give you an IP, a range of IPs or a > name that can be used (i.e. sip.myphoneprovider.com). If you restrict yourThis is not really possible, since I'll login on my Asterisk from many Providers...> inbound sip to that, it will be very helpful. Also, there are further > steps you can take to harden your systems. An internet search will bring > up many, but here are a couple of good ones: > > http://blogs.digium.com/2009/03/28/sip-security/ > http://www.ipcomms.net/blog/70-11-steps-to-secure-your-asterisk-ip-pbx > http://nerdvittles.com/?p=580OK, I set alwaysauthreject = yes and I discovered a allowguest, which I set to "no", too. The PBX is behind a Firewall and I just allow UDP 5060 and 10000-10100. Now I log the SIP-pakets coming from Internet, too... Hopefully I solved my problem... Thanks Luca Bertoncello (lucabert at lucabert.de)
On Mon, 8 Jun 2015, Luca Bertoncello wrote:> This is not really possible, since I'll login on my Asterisk from many > Providers...many < all So make a list of the 100 or so providers you have active accounts with. It's still way less than 'all.' Also, I'm willing to bet you won't be using providers from China, North Korea, Russia, Iraq, etc, etc, etc. (Sorry if that steps on anybody's toes.) Look for address blocks (class A, B, C) that are allocated to geographic regions you do not have any providers. If you limit your 'attack surface' you make your security problem manageable. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000
> OK, I set alwaysauthreject = yes and I discovered a allowguest, which Iset> to "no", too. > The PBX is behind a Firewall and I just allow UDP 5060 and 10000-10100. > Now I log the SIP-pakets coming from Internet, too... > > Hopefully I solved my problem...Make sure you have solved the problem. You don't want to get hit with a phone bill for calls from your location to Israel. Basically, they are hoping that you are running the equivalent of a mail server open relay. They are trying to use you to dial out to another number. You don't want to pay for these calls. The calls are being dumped into your default context. It's not matching on your gotoif statements, so finally it is trying to execute this: Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R") in new stack Not sure what trunk pbxluca is, but if that is an outbound trunk, then this is very bad. The only reason it would fail then is if they have the outbound dial pattern wrong, which is a sure sign that you are open in the future to having someone make this kind of call in a way that does work and leaves you on the hook. Based on your email address, I am guessing you are in Germany. Looks like they almost have the correct outbound pattern for dialing from Germany to Israel. It should be 00972592603325 (notice the one less zero in the front). Please tell me that pbxluca is not an outbound dialing context? If it is, you need to fix this very quickly. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150608/faa77385/attachment.html>
Kevin Larsen <kevin.larsen at pioneerballoon.com> schrieb:> Make sure you have solved the problem. You don't want to get hit with a > phone bill for calls from your location to Israel. Basically, they are > hoping that you are running the equivalent of a mail server open relay. > They are trying to use you to dial out to another number. You don't want > to pay for these calls.Of course, but how can I test, if I am an "open relay"?> The calls are being dumped into your default context. It's not matching on > your gotoif statements, so finally it is trying to execute this: > Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R") in > new stack > > Not sure what trunk pbxluca is, but if that is an outbound trunk, then > this is very bad. The only reason it would fail then is if they have theThis is one of my outbound trunk...> outbound dial pattern wrong, which is a sure sign that you are open in the > future to having someone make this kind of call in a way that does work > and leaves you on the hook. Based on your email address, I am guessing you > are in Germany. Looks like they almost have the correct outbound pattern > for dialing from Germany to Israel. It should be 00972592603325 (notice > the one less zero in the front). Please tell me that pbxluca is not an > outbound dialing context? If it is, you need to fix this very quickly.How can I fix it? Of course, I need to be able to call any phone on this world... On a Mail-Server I'd restrict outgoing calls to authenticated users. I was sure, that Asterisk already do that, but I'm not sure anymore... How can I restrict it? Thanks Luca Bertoncello (lucabert at lucabert.de)
On Mon, 8 Jun 2015 13:19:53 -0700 (PDT) Steve Edwards <asterisk.org at sedwards.com> wrote:> Look for address blocks (class A, B, C) that are allocated to > geographic regions you do not have any providers. If you limit your > 'attack surface' you make your security problem manageable.Get this file: http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz It has all of those blocks for all countries. I pick that up fresh every week and block specific countries that I don't have clients in but seem to be hitting me hard. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:darcy at Vex.Net VoIP: sip:darcy at Vex.Net