similar to: sip dos question

... using it as a tool and understanding what it does... So one part of it's toolset identifys valid SIP accounts - and I was under the impression that alwaysauthreject=yes was supposed to stop this... However, it sends a request for a highly probably non-existent account, then sends requests for probably existing accounts and I guess compares the results - account not found vs. bad

Is there a way to drop a ip connection to asterisk after a number of register attempts. I have been having issues with hackers doing registration scanning against our server. We block their address at the fire wall but since asterisk does not force a drop of the connect after so many bad reg attempts I can't enforce the block until they drop and try again. This allows them to run the box

Hey, I'm going thru logs, and I see some very common and interesting things that the hackers are looking for. In a whole bunch of scans, I've noticed that the first guess or two for sip accounts is usually a 10-digit number. I'm asking myself, why these numbers? Are they looking for a voip trunk? Or is it just like a serial number for the scan? What? Here's some examples:

> On 11/02/2017, at 3:40 am, Frank Vanoni <mailinglist at linuxista.com> wrote: > > On Thu, 2017-02-09 at 14:58 +0200, ????? ?????? wrote: > > >> so the main question is -- how to Disallow CALLS without registering >> on PBX > > sip.conf configuration > In the [general] section, define: > > > [general] > ... > allowguest=no >

An attacker is scanning my Asterisk Switch to gain illegitimate access to VoIP call functionality. Using a sip scanning tool, *it* sends REGISTERs with random identities. And when it discovers one identity subscribed in my switch, it tries to authenticate with random passwords using this user name. For the moment, I have replaced this account. And also blocked the IP it has used but each time

Hi, I've recently had a fairly prolonged SIP registration attack, 18 hours in this case and often with 200 attempts per second, and suspect I've had a number of these in the past. The main symptom I noticed previously was, because Asterisk was responding to each registration request it received, it was very quickly using up my 448 kbps upload limit for my home ADSL connection: any

Hi Ever since we upgraded our asterisk servers to 1.8.23.1, we no longer get the 'no matching peer' error when we get a dictionary SIP attack. Now the logs always show a 'wrong password' when there actually isn't a matching peer. We even have alwaysauthreject = yes in our sip.conf. Has anyone else noticed this phenomenon? Thanks in Advance Ish -- Ishfaq Malik

So when someone's brute forcing your server is there a way to identify the originating IPs without using a tcpdump? When I get a failed auth on the console it shows 'account at asteriskserver' then tag=as25ca5023 (or some random string, though it's a bit odd as alwaysauthreject = yes is on in sip.conf). Anyway, the logs don't show anything more useful either. Is there

Hello all. I was recently the victim of a SIP flood attack. I'm wondering what is the best method to prevent such things in the future. Many thanks Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101003/2e254523/attachment.htm

What I have is: * Asterisk 1.8.10.1~dfsg-1ubuntu1, * SPA112 ATA with analog fax in 1-st FXS port connected, * SIP trunk with provider supporting T.38. My network looks like this: * spa112 (192.168.33.200/24) and Asterisk (192.168.5.253/24) in neighbouring LANs, * Asterisk connects to the provider (80.75.130.136) via router (82.200.7.184). Router has full DNAT to Asterisk server. What happens?

Hi all, I want to two sip clients connect through Asterisk in local network for testing. My sip.conf file looks like this [general] context=internal allowguest=no allowoverlap=no bindport=5060 bindaddr=0.0.0.0 srvlookup=no disallow=all allow=ulaw alwaysauthreject=yes canreinvite=no nat=yes session-timers=refuse localnet=192.168.1.0/255.255.255.0 [7001] type=friend host=dynamic

Dear mailing list, I've a Asterisk 1.4.21.2~dfsg-3+lenny1 package installed on my debian and I've a strange behavior. After some days running normally, my asterisk is under heavy attack, however, there is nothing logged in the console (logging from debug -> error) or file (level from notice ->error) I can see that there is also a peak on the network traffic. My first guess is that

Hi List, i have to put an * between two other SIP gateways and due to some circumstances, i have to use sip over tcp. With 1.6.2.6 this is working fine: sip gw A (deverto4) sends the call, i hand it over to sip gw B (ocs) and that's about it. In the other direction however (ocs -> me -> deverto4) the call setup is complete but there is no audio. I can see the audio in the form of

Hello i am trying to setup sipgate gateway i can get incoming calls fine, but when i dial in and then try to dial out i get this in asterisk command line -- Called 01179248615 at sipgate [Sep 18 13:58:30] NOTICE[28232]: chan_sip.c:17885 handle_response_invite: Failed to authenticate on INVITE to '"01179553708" <sip:SIP-ID at sipgate.co.uk>;tag=as30eb9dd1' --

I beg to differ. Digium is hiding from the real world and somebody is going take the software and run with it. My customers lost in excess of $50.000 and cut my pay in half, because of hackers. The hackers figured out how to scan every asterisk for weak passwords or open ports, and bang them real good. We need two things: a) disable in sip.conf the reply for INVITES that have wrong user

I've just posted this to another list where we were talking about the same old issues we've been plagues with recently - I'd already posted some iptables rules, but added more to it for this... This script probably isn't compatable with anything else, but I don't run anything else. It's also designed to act on the incoming interface, not to run in a router, but

HI ALL got small question i use call-limit=1 on peers but call limit is not working if user is not registered on PBX and making calls so the main question is -- how to Disallow CALLS without registering on PBX -- Best regards Antony tel. +380669197533 tel2. +380636564340 Paypal http://paypal.me/Satskiy

Hi, do you have NAT between Asterisk and agent phones? S pozdravem Tomáš Holý Hi Tomas Thanks for replying. Yes, the phones are in one location in a LAN and are then NATed to enable them to contact the Asterisk which is hosted in the cloud. A typical sip.conf phone configuration on the remote server for the site is [general] session-timers=refuse disallow=all allow=g729:20 allow=ulaw

Someone has hacked into our system and is making calls overseas. How can I: 1. Find out the where the calls are originating from? 2. Block all calls that are not authorized? Our system is in the USA. Only calls from inside our LAN are allowed. Thank you, Gary Kuznitz -------------- next part -------------- An HTML attachment was scrubbed... URL:

Kevin Larsen <kevin.larsen at pioneerballoon.com> schrieb: > Based on SIP packets coming in from IP addresses you don't recognize, > while you may not be hacked, you would seem to have people probing your I think, too, it's someone probing my IP... > system. One thing you can do at the firewall level is restrict inbound sip > communications to only those from your