Topic: My server is under brut force attacks on Port 5060

[markleman]

Oh and one last point, the attacker used the ext/password of an 'internal' extension. I had assumed that only 'external' extensions would be vulnerable (*) and had already changed the passwords on these. Obviously my understanding of 'internal' and 'external' in sark/sail is incorrect - I'll have to ask Jeff when I get a moment.

Regards, Mark Leman

* I had followed the advice here http://forums.contribs.org/index.php/topic,43858.msg209962.html#msg209962 but from later posts http://forums.contribs.org/index.php/topic,46022.msg225011.html#msg225011 this appears to be incorrect

[chris burnat]

In one instance, they got into an internal extension and cracked it - was just 4 digits, easy.  Quoting Jeff in one of the post you refer to:
"It doesn't matter if your extension is set for internal or not.  Internal/external simply turns on Asterisk's nat processor (nat=yes).  It doesn't stop SIP packets, which is usually all these guys are interested in".

Nice part of it is that my ISP only charged me their cost price, as per Australian regulations - ISP cannot profit from fraud.  So the $2,000+ ended up around $1,100.  Nice markeup hey, just under 100%, and this is one of the more competitive ISP.  Telstra et al a doing a lot better obviously.  We in the wrong business....

[Franco]

Hi,
Install fail2ban and sleep well at night.
Any system that is put in the internet is about to get scanned, snooped or get some kind of attack, it's the price you have to pay for being "accessible".

Best,

[chris burnat]

Install fail2ban and sleep well at night.

Thanks, have you implemented this on SME?

[Franco]

Hi Chris,
You can use this how-to http://www.sunshinenetworks.com.au/how-to/56-install-fail2ban-on-elastix-16.html
Works just as well on SME.

Best,

[guest22]

Maybe this helps too....

http://www.webtorials.com/content/2010/09/voip-ipt-best-practices.html

guest

[gippsweb]

I added fail2ban to my SME box yesterday after 2 hours continuous attempts from the same ip address.

I had one ext without an acl due to it being on a dynamic ip outside the lan..After adding a acl it seemed to inflame the hacker and the attempts increaded, so I added fail2ban.

It didn't stop the attempts, they continued for another 10 hours. But they did stop short another 2 attempts during the night. They stopped after 10-15 goes, instead of a few thousand normally..

Overall I am happy with the results, although it won't stop a DDoS. 8G of data later, mine gave up.

[igortsky]

You can also put a rate limiting rule in iptables. I was getting hit many times per second, but with rate limiting, fail2ban gets them after only 2 attempts. Also banned a few offending countries, which has almost stopped the attempts. Instead of several a day, I only get the odd one every few days.

Evert

[chris burnat]

Evert,
excuse my ignorance.  Can you elaborate, how did you "put a rate limiting rule in iptables"?
Thanks.

[igortsky]

Have a look at this link on Whirlpool forum:

http://whrl.pl/Rcqzpl

Evert

[chris burnat]

Code: [Select]

db configuration setprop SIP AllowHosts xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx
signal-event remoteaccess-update
To block all port 5060 UDP traffic except from a few approved IP addresses.

Mark, your comment should read:

Code: [Select]

db configuration setprop SIP AllowHosts xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxxi.e. no space between IP addresses.
 

[madadam]

You done well mate, I got done for over $AU2,000 between me and a client I had to pay for....
Thanks for posting your fix for blocking 5060, and other info!
Cheers
chris

Hi Chris,

I suggest using Simtex (simtex.com.au) for trunking as they will allow you to set up limits so you're bill can't go higher than that. Useful if you're worried you might be hacked.

Adam

[chris burnat]

Hi Chris,

I suggest using Simtex (simtex.com.au) for trunking as they will allow you to set up limits so you're bill can't go higher than that. Useful if you're worried you might be hacked.

Adam

Many thanks mate, will check them out.