Are these Brute Force Attempts

General and Support topics relating to ViciDialNow and GoAutoDial ISO installers

Moderators: enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, s0lid

Are these Brute Force Attempts

Postby simonc » Thu Jul 12, 2012 9:22 am

We keep on getting messages like these. I am not sure if its a hack attempt or internal system trying to connect :evil:

[2012-07-12 10:11:39] NOTICE[3202]: chan_sip.c:16565 handle_request_subscribe: Sending fake auth rejection for user <sip:311@OURIPADDRESS;transport=UDP>;tag=e374f411
[2012-07-12 10:11:39] NOTICE[3202]: chan_sip.c:16565 handle_request_subscribe: Sending fake auth rejection for user <sip:311@OURIPADDRESS;transport=UDP>;tag=e374f411
[2012-07-12 10:11:39] NOTICE[3202]: chan_sip.c:16565 handle_request_subscribe: Sending fake auth rejection for user <sip:311@OURIPADDRESS;transport=UDP>;tag=e374f411
Single Server | GoAutoDial 2.1 Base - Updated CentOS | VERSION: 2.6-370a | BUILD: 120529-2112
Server Specs : 2 X Dual Xeon 2.0Ghz on SuperMicro based server | 4GB DDR2 ECC Ram | 100Mbps Dedicated | 2 X 250GB 7200RPM IN RAID
simonc
 
Posts: 49
Joined: Thu May 17, 2012 9:53 am

Re: Are these Brute Force Attempts

Postby mcargile » Fri Jul 13, 2012 1:49 pm

This could be, or it could be a misconfigured phone. If you are seeing hundreds of these scrolling by in the console, it is a brute force attack, and you should try and figure out the IP and block it.
Michael Cargile | Director of Engineering | ViciDialGroup | http://www.vicidial.com

The official source for VICIDIAL services and support. 1-888-894-VICI (8424)
mcargile
Site Admin
 
Posts: 617
Joined: Tue Jan 16, 2007 9:38 am

Re: Are these Brute Force Attempts

Postby williamconley » Fri Jul 13, 2012 2:09 pm

Check the IP of the "incident". If it is a user/office in your system, then they likely misconfigured a phone. Be happy you don't have fail2ban running. LOL

If the IP does not belong to someone you know, use iptables to block all traffice TO AND FROM that IP. Then look at setting up a "whitelist" solution before evening. Trust me when I say another IP will be attacking soon. If you are open for "testing passwords", the attacks will increase until you cannot use your server reliably several times per day.

Also of note: Once that level is reached, the whitelist solution will not "permanently, immediately fix" your problem, as these script puppies will hammer at the outside of your firewall for several days after setting up the whitelist. At that point you will likely need to change your IP address or wait a few days with on/off reliability until they give up and go home. And that's even with ping turned off. Many of these scripts are purely automated and will continue to attack even after you no longer exist. One they realize that you are allowing them to guess at passwords.

Their goal: access your asterisk platform, generate thousands of calls (general cost = $2000 per hour, historically).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Are these Brute Force Attempts

Postby simonc » Mon Jul 16, 2012 10:55 am

how can we check the Incident IP address if they are happening only 3 At a time, and fromw hat i can see and copy pasted, there is no IP log, only a tag.
Single Server | GoAutoDial 2.1 Base - Updated CentOS | VERSION: 2.6-370a | BUILD: 120529-2112
Server Specs : 2 X Dual Xeon 2.0Ghz on SuperMicro based server | 4GB DDR2 ECC Ram | 100Mbps Dedicated | 2 X 250GB 7200RPM IN RAID
simonc
 
Posts: 49
Joined: Thu May 17, 2012 9:53 am

Re: Are these Brute Force Attempts

Postby williamconley » Mon Jul 16, 2012 3:11 pm

/var/log/asterisk has log files with many possibilities depending on your setup.

The /etc/asterisk/logger.conf file controls what level of logging goes in which file.

Code: Select all
asterisk -rx "logger rotate"
will "activate" any new settings placed in logger.conf.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Are these Brute Force Attempts

Postby striker » Tue Jul 24, 2012 12:29 am

For these kind of attack you wont get the ip of the hacker in the logs (fail2ban also wont work for these attacks) . you have to trace the ip using the iftop

also check the below settings in your sip.conf
alwaysauthreject = yes
allowguest=no

tracing the ip of the attacker using iftop
run the below command in the linux console
iftop -i eth0 -f "dst port 5060" ; " this show the ip interfacing the port 5060" or use iftop -P or iftop -i etho check google for iftop man page

/sbin/iptables -I INPUT -s ipaddressofthehacker -j DROP
service iptables save

foreg: /sbin/iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP ; where is the XXX.XXX.XXX.XXX is the hacker ip traced in the iftop command
www.striker24x7.com www.youtube.com/c/striker24x7 Telegram/skype id : striker24x7
striker
 
Posts: 962
Joined: Sun Jun 06, 2010 10:25 am

Re: Are these Brute Force Attempts

Postby williamconley » Tue Jul 24, 2012 10:27 am

we usually do get the ip address of the attacker in our logs. sip registration fail attempts store the ip, ssh login attempts also log the ip.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Are these Brute Force Attempts

Postby simonc » Fri Aug 03, 2012 3:50 pm

I was reviewing the logs and found this :

[2012-06-30 22:38:30] NOTICE[3235] chan_sip.c: Registration from '<sip:cd201@208.66.68.18;transport=UDP>' failed for '65.94.76.188' - Device does not match ACL
[2012-06-30 22:38:30] NOTICE[3235] chan_sip.c: Registration from '<sip:cd201@208.66.68.18;transport=UDP>' failed for '65.94.76.188' - Device does not match ACL


Does that means taht they found the pasword for this specific user but got refused because i setup an ACL for it or was it refused because of non matching acl before the IP

By the way, those options are alredy set on my sip.conf : alwaysauthreject = yes
allowguest=no
Single Server | GoAutoDial 2.1 Base - Updated CentOS | VERSION: 2.6-370a | BUILD: 120529-2112
Server Specs : 2 X Dual Xeon 2.0Ghz on SuperMicro based server | 4GB DDR2 ECC Ram | 100Mbps Dedicated | 2 X 250GB 7200RPM IN RAID
simonc
 
Posts: 49
Joined: Thu May 17, 2012 9:53 am

Re: Are these Brute Force Attempts

Postby williamconley » Fri Aug 03, 2012 10:46 pm

ACL mismatch does not allow password attempts. Fails before checking (ie: disqualified, refused to check).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Are these Brute Force Attempts

Postby simonc » Wed Aug 15, 2012 11:19 pm

williamconley wrote:we usually do get the ip address of the attacker in our logs. sip registration fail attempts store the ip, ssh login attempts also log the ip.


yes we do as well without a problema and also have fail2ban working and banning ip addresses on a daily basis!

Issue is that someone is trying to attack the system in an unconvential way for asterisk and it gives a tag instead of the Ip address.

handle_request_subscribe: Sending fake auth rejection for user <sip:311@OURIPADDRESS;transport=UDP>;tag=e374f411
Single Server | GoAutoDial 2.1 Base - Updated CentOS | VERSION: 2.6-370a | BUILD: 120529-2112
Server Specs : 2 X Dual Xeon 2.0Ghz on SuperMicro based server | 4GB DDR2 ECC Ram | 100Mbps Dedicated | 2 X 250GB 7200RPM IN RAID
simonc
 
Posts: 49
Joined: Thu May 17, 2012 9:53 am

Re: Are these Brute Force Attempts

Postby okli » Sun Aug 19, 2012 2:19 pm

We got around this SIP attacks by changing the SIP signalling port to a random one in the higher range, in addition to the Fail2Ban and few other protections via IP tables.
Softphones use that new port and in IP tables created simple port forwarding rule to forward that port, only from our provider's IPs, to the internal address.
Fail2Ban attack reports dropped from 10-15 per day to 0, for the past 12 months.
okli
 
Posts: 671
Joined: Mon Oct 01, 2007 5:09 pm


Return to ViciDialNow - GoAutoDial

Who is online

Users browsing this forum: Bing [Bot] and 120 guests