Jerry Geis
2017-Apr-21 16:27 UTC
[asterisk-users] Hack attempt sequential config file read looking for valid files.
I "justed" happened to look at /var/log/messages... I saw: Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename 0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found 0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename 0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found 0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename 0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found 0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename 0004f2034f6e.cfg so basically an sequential read of polycom MAC address config files. Some is trying to read to determine if I have any polycom files just sequential read after read. And if so - it would get any extension and password at that time. Luckily I have none. However - how does one block attempts like this ? Thanks! Jerry -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170421/2328bc56/attachment.html>
Derek Bolichowski
2017-Apr-21 16:36 UTC
[asterisk-users] Hack attempt sequential config file read looking for valid files.
From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Jerry Geis Sent: Friday, April 21, 2017 12:28 PM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> Subject: [asterisk-users] Hack attempt sequential config file read looking for valid files. I "justed" happened to look at /var/log/messages... I saw: Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename 0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found 0004f2034f6b.cfg Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename 0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found 0004f2034f6c.cfg Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename 0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found 0004f2034f6d.cfg Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename 0004f2034f6e.cfg so basically an sequential read of polycom MAC address config files. Some is trying to read to determine if I have any polycom files just sequential read after read. And if so - it would get any extension and password at that time. Luckily I have none. However - how does one block attempts like this ? Thanks! Jerry Jerry, Can you change to FTP Provisioning, or HTTPS etc? Atleast with FTP you can set a user/pass to your directory with mac.cfg to prevent open access. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170421/d7affbdb/attachment.html>
Dovid Bender
2017-Apr-21 16:38 UTC
[asterisk-users] Hack attempt sequential config file read looking for valid files.
This is old news. They use Shodan and then try to connect. Set up Fail2Ban that say after 10 404's to ban the IP. On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis <jerry.geis at gmail.com> wrote:> I "justed" happened to look at /var/log/messages... > > I saw: > Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename > 0004f2034f6b.cfg > Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found > 0004f2034f6b.cfg > Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename > 0004f2034f6c.cfg > Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found > 0004f2034f6c.cfg > Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename > 0004f2034f6d.cfg > Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found > 0004f2034f6d.cfg > Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename > 0004f2034f6e.cfg > > so basically an sequential read of polycom MAC address config files. > Some is trying to read to determine if I have any polycom files just > sequential read after read. > And if so - it would get any extension and password at that time. > Luckily I have none. > > However - how does one block attempts like this ? > > Thanks! > > Jerry > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170421/655329a6/attachment.html>
Victor Villarreal
2017-Apr-21 16:45 UTC
[asterisk-users] Hack attempt sequential config file read looking for valid files.
Hi, Jerry, I don't know what S.O. you have in the Server, but you can check the man page (https://linux.die.net/man/8/in.tftpd) for tftpd and use the options --address, so you can tell tftp from what interface/port this service listen request.>From the IP in your logs (69.64.57.18) the request came from a web hostingprovider (http://www.heg.com/). So, the request came from Internet, so your server listen TFTP request from outside, what is bad. You can use iptables in any Linux distro to block incoming TFTP traffic. TFTP is a UDP protocol at port 69. Example: /sbin/iptables -A INPUT -i eth0 -p udp --destination-port 69 -j DROP Change eth0 to the correct name of your public internet server interface. 2017-04-21 13:27 GMT-03:00 Jerry Geis <jerry.geis at gmail.com>:> I "justed" happened to look at /var/log/messages... > > I saw: > Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename > 0004f2034f6b.cfg > Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found > 0004f2034f6b.cfg > Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename > 0004f2034f6c.cfg > Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found > 0004f2034f6c.cfg > Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename > 0004f2034f6d.cfg > Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found > 0004f2034f6d.cfg > Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename > 0004f2034f6e.cfg > > so basically an sequential read of polycom MAC address config files. > Some is trying to read to determine if I have any polycom files just > sequential read after read. > And if so - it would get any extension and password at that time. > Luckily I have none. > > However - how does one block attempts like this ? > > Thanks! > > Jerry > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- GnuPG Key ID: 0x39BCA9D8 https://www.github.com/mefhigoseth ...:::[ God Rulz ! ]:::... -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170421/0d71b969/attachment.html>