search for: secast

>Did you check your security log? >There is usually a wealth of info there about who, what, where when and why I also checked /var/log/asterisk/messages and it just has the same line. Nothing additional. Jerry -------------- next part -------------- An HTML attachment was scrubbed... URL:

If this is a small site, I recommend you download the free version of SecAst (www.telium.ca <http://www.telium.ca> ) and replace fail2ban. SecAst does NOT use the log file, or regexes, to match etc.instead it talks to Asterisk through the AMI to extract security information. Messing with regexes is a losing battle, and the lag in reading logs can allow an attacker 1...

Do you have DISA setup? We're seeing lots of attackers running scripts that send digits until they strike a DISA, misconfigured mailbox, etc. (Assuming it wasn't a stupid employee forwarding an inbound call to a 9xxxxxxx number etc). Have a look at SecAst (www.generationd.com) - it detects callers sending too many digits, monitors digit dialing speeds, etc. to help identify and block these types of attacks. The free version is better than nothing (but if you've already suffered one $25k attack then you probably don't mind spending a bit of...

I don't think you can do this natively within Asterisk, but take a look at SecAst (from http://www.telium.ca<http://www.telium.ca/> ). There is a free edition you can download right from the web site. SecAst will monitor the rate at which a user/device places calls to detect potential fraud. (I assume that is what you are trying to achieve). It also checks for suspic...

2015-01-09 3:53 GMT-06:00 Stefan Gofferje <lists at home.gofferje.net>: > > Do you really want to detect "ChallengeSent"? That should occur also on > legitimate login processes... > Hi , strange thing is that I still have not this asterisk in production and I see many attempts Connection. Now keep in mind that when a connection of authentication is successful the

I'd suggest taking a look at the free edition of SecAst (www.generationd.com). It handles these messages perfectly (and can also use AMI security events) - so you don't need to constantly be updating fail2ban rules. It's a drop in replacement for fail2ban. -M- P.S. My opinions are my own and do not necessarily represent those of my employ...

On Fri, Jan 9, 2015 at 5:24 PM, Michelle Dupuis <mdupuis at ocg.ca> wrote: > I'd suggest taking a look at the free edition of SecAst ( > www.generationd.com). It handles these messages perfectly (and can also > use AMI security events) - so you don't need to constantly be updating > fail2ban rules. It's a drop in replacement for fail2ban. > > -M- > > P.S. My opinions are my own and do not necessar...

I'm guessing this is a small/home system? I suggest you install SecAst from this site: www.telium.ca It's free for small office / home office and will deal with these types of attacks and more. It can also block users based on their Geographic location (based on the phone number it attempted to dial I suspect this is middle east), look for suspicious dialing pa...

Hello, recently I have seen spike in attacks on my asterisk server, this is what I get on the LCD of my phone: 201 at 76.220.5.205 or calls from 1000 sip1000 at 76.2230.5.205, have any idea on how to stop this calls? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL:

Hello All, my asterisk server is constantly under attack [Apr 4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941" <sip:4941 at public_ip>' failed for '194.100.46.132 194.100.46.132:56714' - Wrong password [Apr 4 06:56:00] NOTICE[21745]: chan_sip.c:25673 handle_request_register: Registration from '"4941"

Hello, fail2ban does not ban offending IP. NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005 at asterisk-ip:5060>' failed for 'offending-IP:53417' - Wrong password NOTICE[29784] chan_sip.c: Registration from '"user3"<sip:1005 at asterisk-ip:5060>' failed for ?offending-IP:53911' - Wrong password systemctl status

Hi list! Very strange... I ran the Asterisk CLI for other tasks, and suddenly I got this message: == Using SIP RTP CoS mark 5 -- Executing [000972592603325 at default:1] Verbose("SIP/192.168.20.120-0000002a", "2,PROXY Call from 0123456 to 000972592603325") in new stack == PROXY Call from 0123456 to 000972592603325 -- Executing [000972592603325 at default:2]

Hello, I'm investigating a situation where there was a hundreds of minutes of calls from an internal SIP extension to an 855 number in Cambodia, resulting in a crazy ($25,000+) bill from the phone company. I'm investigating, but can anyone provide some feedback on what's happened here? I'm investigating how this happened as well as what types of arrangements can be made with the