Asterisk silent brute force

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Asterisk silent brute force

Postby Acidshock » Thu Aug 29, 2013 2:03 pm

Hi Guys,

I just encountered a brute force attempt on a box that wasn't throwing any errors into the CLI. It was using 1.4.44-vici that came with Vicibox 4.0.3. Has anyone experienced this yet? I strace'd asterisk and got this:

close(39) = 0
sendto(10, "SIP/2.0 100 Trying\r\nVia: SIP/2.0"..., 368, 0, {sa_family=AF_INET, sin_port=htons(5102), sin_addr=inet_addr("198.7.57.40")}, 16) = 368
sendto(10, "SIP/2.0 401 Unauthorized\r\nVia: S"..., 465, 0, {sa_family=AF_INET, sin_port=htons(5102), sin_addr=inet_addr("198.7.57.40")}, 16) = 465
poll([{fd=10, events=POLLIN}], 1, 1) = 1 ([{fd=10, revents=POLLIN}])
recvfrom(10, "REGISTER sip:209.X.X.X SIP/2."..., 4095, 0, {sa_family=AF_INET, sin_port=htons(5102), sin_addr=inet_addr("198.7.57.40")}, [16]) = 333
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 39
connect(39, {sa_family=AF_INET, sin_port=htons(5060), sin_addr=inet_addr("198.7.57.40")}, 16) = 0

However nothing was showing in the logs or CLI for something like fail2ban to catch. They were probably running somewhere in the neighborhood of 1000 queries or more a second. Just wondering if anyone else has encountered this and if its just an issue with that version of asterisk. Unfortunately there are remotely logged in agents on this system and it needs to allow registration from outside.
VERSION: 2.14-698a | BUILD: 190207-2301 | Asterisk:13.24.1-vici | Vicibox 8.1.2
Acidshock
 
Posts: 430
Joined: Wed Mar 03, 2010 3:19 pm

Re: Asterisk silent brute force

Postby williamconley » Mon Dec 23, 2013 12:22 am

1) if registration attempts were not tossing errors, and you are the sort capable of this sort of level of packet capture, I'm going to operate under the assumption that YOU turned off some level of warning in the console. Have you edited logger.conf? ;)

2) http://www.viciwiki.com/index.php/DGG
DGG Includes the ability for remote agents to self-authorize their IP, until which they CANNOT get a packet into asterisk to even verify that there is an asterisk server on the IP address. Very handy. 8-) (and using the existing Vicidial logon screen ... but without any logos or "vicidial" indicators until AFTER they log in). No extra steps for the agent, just a new "first" login page.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Asterisk silent brute force

Postby Acidshock » Tue Mar 11, 2014 6:10 pm

[logfiles]
console => notice,warning,error,dtmf
messages => notice,warning,error,debug,verbose,dtmf

That's what is in logger. It should spit it out shouldn't it?
VERSION: 2.14-698a | BUILD: 190207-2301 | Asterisk:13.24.1-vici | Vicibox 8.1.2
Acidshock
 
Posts: 430
Joined: Wed Mar 03, 2010 3:19 pm

Re: Asterisk silent brute force

Postby williamconley » Tue Mar 11, 2014 6:44 pm

check "message" in var/log/asterisk and see if it has sip registration failures. you may find they are "verbose" and not sent to the console.

also be sure you have rebooted since then for new settings to be sure to take effect.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to Support

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 122 guests