Tim S
2017-Apr-21 16:47 UTC
[asterisk-users] Hack attempt sequential config file read looking for valid files.
Is that IP in your network or outside (I can ping it so I'm guessing it's outside your network)? Do you have a firewall between your asterisk box and the internet? Is there a WHITELIST of IP addresses that only allow your provider's limited IP pool to connect to your asterisk box from outside? If you are getting TFTP requests hitting your Asterisk box, they are not properly being filtered at your firewall - ftp and tftp are considered insecure communication methods, that port (69 I think) should be closed on your firewall unless you have a really good reason to have it opened (and unless you run a public FTP site, THERE IS NO GOOD REASON). Fail2Ban is a BLACKLIST method, blacklists are most effective after good network hygiene is implemented, as you drastically limit the pool of potential bad actors with a whitelist. Best, -Tim On Fri, Apr 21, 2017 at 9:38 AM, Dovid Bender <dovid at telecurve.com> wrote:> This is old news. They use Shodan and then try to connect. Set up Fail2Ban > that say after 10 404's to ban the IP. > > > On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis <jerry.geis at gmail.com> wrote: > >> I "justed" happened to look at /var/log/messages... >> >> I saw: >> Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename >> 0004f2034f6b.cfg >> Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found >> 0004f2034f6b.cfg >> Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename >> 0004f2034f6c.cfg >> Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found >> 0004f2034f6c.cfg >> Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename >> 0004f2034f6d.cfg >> Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found >> 0004f2034f6d.cfg >> Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename >> 0004f2034f6e.cfg >> >> so basically an sequential read of polycom MAC address config files. >> Some is trying to read to determine if I have any polycom files just >> sequential read after read. >> And if so - it would get any extension and password at that time. >> Luckily I have none. >> >> However - how does one block attempts like this ? >> >> Thanks! >> >> Jerry >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170421/3599fff1/attachment.html>
Victor Villarreal
2017-Apr-21 16:53 UTC
[asterisk-users] Hack attempt sequential config file read looking for valid files.
Hi David, Tim, Try to use Bail2Ban at last resort. Fail2Ban is a ractive approach, that permit the traffinc AND ONLY BLOCK them after certain level triggered. Use iptables to block the unused services faced to public networks like Internet. And configure these services properly, so they listen only selected interfaces and IPs, and not from 0.0.0.0 2017-04-21 13:47 GMT-03:00 Tim S <tim.strommen at gmail.com>:> Is that IP in your network or outside (I can ping it so I'm guessing it's > outside your network)? Do you have a firewall between your asterisk box > and the internet? Is there a WHITELIST of IP addresses that only allow > your provider's limited IP pool to connect to your asterisk box from > outside? > > If you are getting TFTP requests hitting your Asterisk box, they are not > properly being filtered at your firewall - ftp and tftp are considered > insecure communication methods, that port (69 I think) should be closed on > your firewall unless you have a really good reason to have it opened (and > unless you run a public FTP site, THERE IS NO GOOD REASON). > > Fail2Ban is a BLACKLIST method, blacklists are most effective after good > network hygiene is implemented, as you drastically limit the pool of > potential bad actors with a whitelist. > > Best, > > -Tim > > On Fri, Apr 21, 2017 at 9:38 AM, Dovid Bender <dovid at telecurve.com> wrote: > >> This is old news. They use Shodan and then try to connect. Set up >> Fail2Ban that say after 10 404's to ban the IP. >> >> >> On Fri, Apr 21, 2017 at 12:27 PM, Jerry Geis <jerry.geis at gmail.com> >> wrote: >> >>> I "justed" happened to look at /var/log/messages... >>> >>> I saw: >>> Apr 21 12:18:40 in.tftpd[22719]: RRQ from 69.64.57.18 filename >>> 0004f2034f6b.cfg >>> Apr 21 12:18:40 in.tftpd[22719]: Client 69.64.57.18 File not found >>> 0004f2034f6b.cfg >>> Apr 21 12:18:40 in.tftpd[22720]: RRQ from 69.64.57.18 filename >>> 0004f2034f6c.cfg >>> Apr 21 12:18:40 in.tftpd[22720]: Client 69.64.57.18 File not found >>> 0004f2034f6c.cfg >>> Apr 21 12:18:40 in.tftpd[22721]: RRQ from 69.64.57.18 filename >>> 0004f2034f6d.cfg >>> Apr 21 12:18:40 in.tftpd[22721]: Client 69.64.57.18 File not found >>> 0004f2034f6d.cfg >>> Apr 21 12:18:40 in.tftpd[22722]: RRQ from 69.64.57.18 filename >>> 0004f2034f6e.cfg >>> >>> so basically an sequential read of polycom MAC address config files. >>> Some is trying to read to determine if I have any polycom files just >>> sequential read after read. >>> And if so - it would get any extension and password at that time. >>> Luckily I have none. >>> >>> However - how does one block attempts like this ? >>> >>> Thanks! >>> >>> Jerry >>> >>> -- >>> _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> >>> Check out the new Asterisk community forum at: >>> https://community.asterisk.org/ >>> >>> New to Asterisk? Start here: >>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> >> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- GnuPG Key ID: 0x39BCA9D8 https://www.github.com/mefhigoseth ...:::[ God Rulz ! ]:::... -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170421/6551b16d/attachment.html>