SIP ATTACK!

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

SIP ATTACK!

Postby noworldorder » Mon Aug 08, 2011 7:09 pm

VERSION: 2.4-324a
BUILD: 110707-1402
Asterisk 1.4.27.1
Dual Core

I am getting this message many times per second:

[Aug 8 17:05:14] NOTICE[1524]: chan_sip.c:16378 handle_request_register: Registration from '"aaron" <sip:aaron@24.69.74.181>' failed for '218.17.160.68' - No matching peer found

This IP 218.17.160.68 is a known VOIP hacker. My ISP said there is nothing they can do about it. I do not want to change my IP unless I have to.

s there any other solution?

Thanks
noworldorder
 
Posts: 391
Joined: Sat Mar 06, 2010 3:56 pm

Postby williamconley » Mon Aug 08, 2011 11:12 pm

1) Thanks for posting your vicidial version with build. Thanks also for posting a couple more items.

2) Please try to remember to include your Installation method (ALWAYS) because it comes in handy in certain situations (often for OTHERS who read the post and don't know if your situation matches theirs! but sometimes ...). Case in point: I don't know your OS or system map, so I will give "generic" help. 8-)

3) Execute at the command line and if you have iptables active the "attacker" will suddenly cease to get a response from your system.
Code: Select all
iptables -A INPUT 1 -s 24.0.0.0/8 -p all -j DROP


4) Initiate an iptables security system. Only allow authorized IP addresses access to your system (VOIP providers, DNS requests, Agents in other offices, even the owner's Mom's house ...). Then with everyone else locked out by default ... the system is secure from that sort of attack. You may still experience brute force "robo" attacks bouncing off your firewall for a day or two, but they'll wear off. Avoid Fail2Ban unless you can ensure that a bad sip phone registration entry won't lock out an entire room! LOL

5) Also: If you learn how, you can (during the brute force attack) ALLOW the attacker, but limit their "speed" of attack to 10k, greatly reducing their impact during the attack. As soon as they give up for the day, remove their access again. Usually this results in no further attacks within 48 hours.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

sip attack block with fail2ban

Postby striker » Tue Aug 09, 2011 1:32 am

hi

use the fail2ban , the result is very good
below is the attack ip's which are blocked automatically by the faile2ban in vicidial server within a month.


-------------

fail2ban-ASTERISK all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 120.89.40.54 0.0.0.0/0
DROP all -- 60.191.141.119 0.0.0.0/0
DROP all -- 196.33.85.3 0.0.0.0/0
DROP all -- 222.168.102.78 0.0.0.0/0
DROP all -- 203.90.136.76 0.0.0.0/0
DROP all -- 69.73.144.72 0.0.0.0/0
DROP all -- 46.45.181.34 0.0.0.0/0
DROP all -- 210.83.86.142 0.0.0.0/0
DROP all -- 109.73.51.17 0.0.0.0/0
DROP all -- 195.137.187.2 0.0.0.0/0
DROP all -- 196.41.220.147 0.0.0.0/0
DROP all -- 210.160.101.202 0.0.0.0/0
DROP all -- 219.254.35.83 0.0.0.0/0
DROP all -- 174.122.153.170 0.0.0.0/0
DROP all -- 119.68.246.2 0.0.0.0/0
DROP all -- 211.72.78.139 0.0.0.0/0
DROP all -- 59.39.62.132 0.0.0.0/0
DROP all -- 174.122.138.186 0.0.0.0/0
DROP all -- 218.108.85.251 0.0.0.0/0
DROP all -- 95.211.135.228 0.0.0.0/0
DROP all -- 64.130.210.149 0.0.0.0/0
DROP all -- 206.221.189.14 0.0.0.0/0
DROP all -- 221.8.63.83 0.0.0.0/0
DROP all -- 202.100.85.17 0.0.0.0/0
DROP all -- 180.153.178.10 0.0.0.0/0
DROP all -- 66.90.101.115 0.0.0.0/0
DROP all -- 213.158.0.42 0.0.0.0/0
DROP all -- 72.9.149.20 0.0.0.0/0
DROP all -- 202.70.86.66 0.0.0.0/0
DROP all -- 87.252.5.118 0.0.0.0/0
DROP all -- 202.91.241.245 0.0.0.0/0
DROP all -- 190.152.77.7 0.0.0.0/0
DROP all -- 72.29.70.51 0.0.0.0/0
DROP all -- 85.233.218.158 0.0.0.0/0
DROP all -- 69.65.18.26 0.0.0.0/0
DROP all -- 67.230.173.194 0.0.0.0/0
DROP all -- 202.57.42.173 0.0.0.0/0
DROP all -- 93.186.196.77 0.0.0.0/0
DROP all -- 67.205.85.88 0.0.0.0/0
DROP all -- 218.14.203.206 0.0.0.0/0
DROP all -- 202.58.181.132 0.0.0.0/0
DROP all -- 211.166.12.245 0.0.0.0/0
DROP all -- 66.23.234.122 0.0.0.0/0
DROP all -- 64.31.62.183 0.0.0.0/0
DROP all -- 190.104.1.122 0.0.0.0/0
DROP all -- 124.129.5.82 0.0.0.0/0
DROP all -- 8.24.70.15 0.0.0.0/0
DROP all -- 190.120.233.182 0.0.0.0/0
DROP all -- 222.231.60.164 0.0.0.0/0
DROP all -- 65.168.44.16 0.0.0.0/0
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 220.249.99.35 0.0.0.0/0
DROP tcp -- 220.249.99.35 0.0.0.0/0 tcp dpt:5060
DROP all -- 64.71.162.208 0.0.0.0/0
DROP all -- 58.6.148.25 0.0.0.0/0
DROP all -- 218.17.160.68 0.0.0.0/0
DROP tcp -- 218.17.160.68 0.0.0.0/0 tcp dpt:5060
www.striker24x7.com www.youtube.com/c/striker24x7 Telegram/skype id : striker24x7
striker
 
Posts: 962
Joined: Sun Jun 06, 2010 10:25 am

Postby noworldorder » Tue Aug 09, 2011 1:58 am

thanks - sounds good - but how exactly do I "use the fail2ban"

I am a rank amature....
noworldorder
 
Posts: 391
Joined: Sat Mar 06, 2010 3:56 pm

fail2ban for asterisk

Postby striker » Tue Aug 09, 2011 2:59 am

below is the link to install and configure the fail2ban for asteirsk attacks

http://striker24x7.blogspot.com/2011/07 ... erisk.html

the above method is installed and tested incentos platform
www.striker24x7.com www.youtube.com/c/striker24x7 Telegram/skype id : striker24x7
striker
 
Posts: 962
Joined: Sun Jun 06, 2010 10:25 am

Re: SIP ATTACK!

Postby navdeepthakur3 » Mon Jul 22, 2013 7:07 pm

I tried the everything watever u told in your blog but still its not working no ip in block list

[root go ~]# cat /etc/fail2ban/filter.d/asterisk.conf
# /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
#The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias
#for
# (?:::f{4,6}:)?(?PS+)
# Values: TEXT
#

failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =



[root go ~]# cat /etc/fail2ban/jail.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 747 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you mail.com, sender=fail2ban mail.com]
logpath = /var/log/sshd.log
maxretry = 5

[proftpd-iptables]

enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=you mail.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6

# This jail forces the backend to "polling".

[sasl-iptables]

enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you mail.com]
logpath = /var/log/mail.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=you mail.com]
ignoreregex = for myuser from
logpath = /var/log/sshd.log

# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled = false
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix, dest=you mail.com]
logpath = /var/log/postfix.log
bantime = 300

# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you mail.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you mail.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you mail.com]
logpath = /var/www/*/logs/access_log
bantime = 172800
maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled = false
filter = apache-noscript
action = shorewall
sendmail[name=Postfix, dest=you mail.com]
logpath = /var/log/apache2/error_log

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1

# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
# find these kinds of messages in your error_log:
# ALERT â tried to register forbidden variable âGLOBALSâ
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
# This jail would block the IP 1.2.3.4.

[lighttpd-fastcgi]

enabled = false
port = http,https
filter = lighttpd-fastcgi
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[ssh-ipfw]

enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=you mail.com]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.

[named-refused-udp]

enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=you mail.com]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you mail.com]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1

[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK,
dest=navdeepthakur3 gmail.com, sender=fail2ban somewhere.com]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 600
ignoreip = 127.0.0.1 172.21.0.0/255.255.255.0


[root go ~]# /etc/init.d/fail2ban restart
Stopping fail2ban: [ OK ]
Starting fail2ban: [ OK ]


[root go ~]# asterisk -r
Asterisk 1.4.39.1-vici RPM by demian goautodial.com, Copyright (C) 1999 - 2010 Digium, Inc. and others.
Created by Mark Spencer <markster digium.com>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'core show license' for details.
=========================================================================
Connected to Asterisk 1.4.39.1-vici RPM by demian goautodial.com currently running on go (pid = 3320)
Verbosity is at least 21
[Jul 22 19:58:02] == Parsing '/etc/asterisk/manager.conf': [Jul 22 19:58:02] Found
[Jul 22 19:58:02] == Manager 'sendcron' logged on from 127.0.0.1
[Jul 22 19:58:02] == Parsing '/etc/asterisk/manager.conf': [Jul 22 19:58:02] Found
[Jul 22 19:58:02] == Manager 'sendcron' logged on from 127.0.0.1
[Jul 22 19:58:02] == Manager 'sendcron' logged off from 127.0.0.1
[Jul 22 19:58:02] == Manager 'sendcron' logged off from 127.0.0.1
[Jul 22 19:58:03] NOTICE[3424]: chan_sip.c:16835 handle_request_register: Registration from '<sip:2008 x.x.x.x>' failed for '46.16.33.60' - No matching peer found
[Jul 22 19:58:04] NOTICE[3424]: chan_sip.c:16835 handle_request_register: Registration from '<sip:2008 x.x.x.x>' failed for '46.16.33.60' - No matching peer found
[Jul 22 19:58:07] == Parsing '/etc/asterisk/manager.conf': [Jul 22 19:58:07] Found
[Jul 22 19:58:07] == Manager 'sendcron' logged on from 127.0.0.1
[Jul 22 19:58:07] == Manager 'sendcron' logged off from 127.0.0.1
[Jul 22 19:58:13] NOTICE[3424]: chan_sip.c:16835 handle_request_register: Registration from '<sip:3000 x.x.x.x>' failed for '46.16.33.60' - No matching peer found
[Jul 22 19:58:13] NOTICE[3424]: chan_sip.c:16835 handle_request_register: Registration from '<sip:3000 x.x.x.x>' failed for '46.16.33.60' - No matching peer found
go*CLI>
Disconnected from Asterisk server
[root go ~]# iptables -L -v
Chain INPUT (policy ACCEPT 1677K packets, 160M bytes)
pkts bytes target prot opt in out source destination
1242 125K fail2ban-ASTERISK all -- any any anywhere anywhere
5140 252K ACCEPT tcp -- any any 172.21.0.0/24 anywhere tcp dpt:ssh
8 456 DROP tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any 172.21.0.0/24 anywhere tcp dpt:mysql
55 2596 DROP tcp -- any any anywhere anywhere tcp dpt:mysql

Chain FORWARD (policy ACCEPT 249K packets, 136M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1669K packets, 157M bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)
pkts bytes target prot opt in out source destination

Chain fail2ban-ASTERISK (1 references)
pkts bytes target prot opt in out source destination
1242 125K RETURN all -- any any anywhere anywhere

where it is wrong can u figure out ??
navdeepthakur3
 
Posts: 51
Joined: Fri Jul 22, 2011 2:10 pm

Re: SIP ATTACK!

Postby striker » Tue Jul 23, 2013 12:27 am

for vicidial you need to change the below lines

[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK,
dest=navdeepthakur3 gmail.com, sender=fail2ban somewhere.com]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 600
ignoreip = 127.0.0.1 172.21.0.0/255.255.255.0

to

[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK,
dest=navdeepthakur3 gmail.com, sender=fail2ban somewhere.com]
logpath = /var/log/asterisk/messages
maxretry = 5
bantime = 600
ignoreip = 127.0.0.1 172.21.0.0/255.255.255.0
www.striker24x7.com www.youtube.com/c/striker24x7 Telegram/skype id : striker24x7
striker
 
Posts: 962
Joined: Sun Jun 06, 2010 10:25 am


Return to Support

Who is online

Users browsing this forum: No registered users and 136 guests