Block hackers attack
I read thisJust in case anyone is using Blockhosts
([url]http://www.aczoom.com/blockhosts/[/url]) with their Linux servers and
Asterisk here are the rules necessary to block invalid users:
"asterisk-NoPeer":
r'Registration from .* failed for \'{HOST_IP}\' - No matching peer
found',
"asterisk-NoAuth":
r'Registration from .* failed for \'{HOST_IP}\' - Username/auth name
mismatch',
"asterisk-NoPass":
r'Registration from .* failed for \'{HOST_IP}\' - Wrong password',
Just add these rules to your /etc/blockhosts.conf file. Thank ckleea for providing the information to us!
YH I am trying to use this setting on my centos-asterisk [i=s] 本帖最後由 角色 於 2010-9-2 09:23 編輯 [/i]
You meant your Asterisk always be attached by hackers?
YH There are a lot of hacker want to enum my extension. Everyday, I check my log file, I can see those information. That is why you hve to make your password very very long to get rid of those attacks.
YH But the log will tell you which ip attacks your server. When you put the ips in the blacklist of hosts.allow. It will drops their connection. I am certain that hackers will change thier IPs frequently to invade their target system, not necessary using their own IP but making use of other innocent IP ranges on purpose resulting in DoS (Denial of Service).
On the other hand, your log blacklist may become larger and larger someday later that will also create certain degree of burgen on your own system.
Anyhow, doing something is better than doing nothing, at least in this stage. ;P After setting "alwaysauthreject=yes allowguest=no " each ip can try two extension only. Cool ! Thanks for the information. It sounds very simple to set up. Hope it is effective. Taking IP-01 as an example, I found its "älwaysauthreject=yes" already a default. It means that what I need to do is to change "ällowguest=no". You may elimilate the chances of being hacked by setting[code]alwaysauthreject=yes[/code]in sip.conf. For details, you may take a look at the following website:
[url]http://www.dslreports.com/forum/r24641813-Asterisk-asterisk-hacking-attempts[/url]
YH Switchfin will have permit and deny for peers and trunks and in future to have iptable.
[url]http://www.telecom-cafe.com/telecomcafe/viewthread.php?tid=2963&pid=8761&page=7&extra=#pid8761[/url] [i=s] 本帖最後由 bubblestar 於 2010-9-10 15:18 編輯 [/i]
Protect your IPPBX with IPtables is Rule #1 in [url=http://nerdvittles.com/?p=580]10 Rules You Should Follow[/url] Another scripts to block repeated SIP registration
[url]http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/[/url] A new attack from 64.156.192.26 再來一個...
119.70.40.102
inetnum: 119.64.0.0 - 119.71.255.255
netname: Xpeed
descr: LG Powercomm
descr: 537-18,Bangbaedong,Seochogu, Seoul
descr: *******************************************
descr: Allocated to KRNIC Member.
descr: If you would like to find assignment
descr: information in detail please refer to
descr: the KRNIC Whois Database at:
descr: [url]http://whois.nic.or.kr/english/index.htm[/url]
descr: ******************************************* 再來...
119.188.7.146
inetnum: 119.176.0.0 - 119.191.255.255
netname: UNICOM-SD
descr: China Unicom Shandong Province Network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: XZ14-AP
remarks: service provider
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP
mnt-lower: MAINT-CNCGROUP-SD
mnt-routes: MAINT-CNCGROUP-RR
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [email]hm-changed@apnic.net[/email] 20080225
changed: [email]hm-changed@apnic.net[/email] 20090508
changed: [email]hm-changed@apnic.net[/email] 20100927
source: APNIC
route: 119.176.0.0/12
descr: CNC Group CHINA169 Shandong Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: [email]abuse@cnc-noc.net[/email] 20080225
source: APNIC Korean:
211.215.19.242
Hostname: 211.215.19.242
ISP: Hanaro Telecom, Inc.
Organization: Hanaro Telecom, Inc.
Proxy: None detected
Type: Broadband
Assignment: Static IP [i=s] 本帖最後由 ckleea 於 2010-10-6 06:47 編輯 [/i]
another IP 79.114.199.69
Already in my asterisk and try 2 numbers.
:L
IP : 79.114.199.69 Neighborhood
Host : 79-114-199-69.dynamic.brasov.rdsnet.ro Not OK
Country : Romania
Address information
Please wait...
Related IP addresses
Please wait...
IP owner info (Whois)
Please wait...
Domain owner info (Whois / Abuse)
Please wait...
Conversions (IPv4 / IPv6)
Please wait...
Ping
Please wait... They to dial 900185099930593 and 001263912797847 自从我用了
sip.conf
alwaysauthreject=yes
和不能从外面用port 22进入我的Asterisk系统后,整个系统都没有被attacked 过,大家可以考虑。
角色 I have this already alwaysauthreject=yes 經過3天多後...來自山東的那位也放棄了...
因為我在Firewall block了它的IP...:lol
莫說是asterisk...請先過了Linux Firewall那一關吧(總好過沒有吧~:P) 如果有Firewall会更加好,如果没有Asterisk server settings也要注意。
角色 當然Asterisk要先設定好...
因為Firewall可以block的只可以在事發後......:L 今天我的asterisk又有人企圖入侵了...
這次是德國...
(而且還看到host是這個...srv-bg07.sicor.net)
IP Address 86.110.67.42
Host srv-bg07.sicor.net
Location DE DE, Germany
City Grönenbach, 02 -
Organization SICOR GmbH
ISP Trusted Network
AS Number AS21385 Trusted Network GmbH
Latitude 47°88'33" North
Longitude 10°21'67" East
Distance 1174.47 km (729.78 miles) 你把你的port 22改成比的port number看看是否有好转?
角色 [quote]你把你的port 22改成比的port number看看是否有好转?
角色
[size=2][color=#999999]角色 發表於 2010-10-20 07:44[/color] [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=9408&ptid=3038][img]http://www.telecom-cafe.com/forum/images/common/back.gif[/img][/url][/size][/quote]
它好像是attac我的asterisk...
不斷retry login我的6001帳號... 你是否有set alwaysauthreject=yes? (应该是default的)
角色
頁:
[1]
2