Board logo

標題: Block hackers attack [打印本頁]
作者: ckleea    時間: 2010-9-1 18:51     標題: Block hackers attack

I read this

Just in case anyone is using Blockhosts
(http://www.aczoom.com/blockhosts/) with their Linux servers and
Asterisk here are the rules necessary to block invalid users:


"asterisk-NoPeer":
r'Registration from .* failed for \'{HOST_IP}\' - No matching peer
found',

"asterisk-NoAuth":
r'Registration from .* failed for \'{HOST_IP}\' - Username/auth name
mismatch',

"asterisk-NoPass":
r'Registration from .* failed for \'{HOST_IP}\' - Wrong password',

       Just add these rules to your /etc/blockhosts.conf file.
作者: 角色    時間: 2010-9-1 19:55

Thank ckleea for providing the information to us!

YH
作者: ckleea    時間: 2010-9-1 20:56

I am trying to use this setting on my centos-asterisk
作者: 角色    時間: 2010-9-1 22:33

本帖最後由 角色 於 2010-9-2 09:23 編輯

You meant your Asterisk always be attached by hackers?

YH
作者: kermit    時間: 2010-9-2 03:53

There are a lot of hacker want to enum my extension. Everyday, I check my log file, I can see those information.
作者: 角色    時間: 2010-9-2 06:58

That is why you hve to make your password very very long to get rid of those attacks.

YH
作者: ckleea    時間: 2010-9-2 08:26

But the log will tell you which ip attacks your server. When you put the ips in the blacklist of hosts.allow. It will drops their connection.
作者: bubblestar    時間: 2010-9-2 09:19

I am certain that hackers will change thier IPs frequently to invade their target system, not necessary using their own IP but making use of other innocent IP ranges on purpose resulting in  DoS (Denial of Service).

On the other hand, your log blacklist may become larger and larger someday later that will  also create certain degree of burgen on your own system.

Anyhow, doing something is better than doing nothing, at least in this stage.  
作者: kermit    時間: 2010-9-2 13:53

After setting "alwaysauthreject=yes allowguest=no " each ip can try two extension only.
作者: bubblestar    時間: 2010-9-2 15:35

Cool !  Thanks for the information.  It sounds very simple to set up.  Hope it is effective.
作者: bubblestar    時間: 2010-9-2 15:43

Taking IP-01 as an example, I found its "älwaysauthreject=yes" already a default.  It means that what I need to do is to change "ällowguest=no".
作者: 角色    時間: 2010-9-6 08:56

You may elimilate the chances of being hacked by setting
  1. alwaysauthreject=yes
複製代碼
in sip.conf. For details, you may take a look at the following website:

http://www.dslreports.com/forum/ ... sk-hacking-attempts

YH
作者: ckleea    時間: 2010-9-10 14:47

Switchfin will have permit and deny for peers and trunks and in future to have iptable.

http://www.telecom-cafe.com/tele ... &extra=#pid8761
作者: bubblestar    時間: 2010-9-10 14:55

本帖最後由 bubblestar 於 2010-9-10 15:18 編輯

Protect your IPPBX with IPtables is Rule #1 in 10 Rules You Should Follow
作者: ckleea    時間: 2010-9-18 05:55

Another scripts to block repeated SIP registration

http://www.teamforrest.com/blog/ ... g-peer-found-block/
作者: ckleea    時間: 2010-10-4 21:59

A new attack from 64.156.192.26
作者: 電腦超人    時間: 2010-10-4 23:14

再來一個...
119.70.40.102

inetnum:      119.64.0.0 - 119.71.255.255
netname:      Xpeed
descr:        LG Powercomm
descr:        537-18,Bangbaedong,Seochogu, Seoul
descr:        *******************************************
descr:        Allocated to KRNIC Member.
descr:        If you would like to find assignment
descr:        information in detail please refer to
descr:        the KRNIC Whois Database at:
descr:        http://whois.nic.or.kr/english/index.htm
descr:        *******************************************
作者: 電腦超人    時間: 2010-10-5 03:13

再來...
119.188.7.146

inetnum:        119.176.0.0 - 119.191.255.255
netname:        UNICOM-SD
descr:                 China Unicom Shandong Province Network
descr:          China Unicom
country:        CN
admin-c:        CH1302-AP
tech-c:                XZ14-AP
remarks:        service provider
status:         ALLOCATED PORTABLE
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CNCGROUP
mnt-lower:      MAINT-CNCGROUP-SD
mnt-routes:     MAINT-CNCGROUP-RR
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        This object can only be updated by APNIC hostmasters.
remarks:        To update this object, please contact APNIC
remarks:        hostmasters and include your organisation's account
remarks:        name in the subject line.
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:        hm-changed@apnic.net 20080225
changed:        hm-changed@apnic.net 20090508
changed:        hm-changed@apnic.net 20100927
source:         APNIC

route:        119.176.0.0/12
descr:        CNC Group CHINA169 Shandong Province Network
country:      CN
origin:       AS4837
mnt-by:       MAINT-CNCGROUP-RR
changed:      abuse@cnc-noc.net 20080225
source:       APNIC
作者: Qnewbie    時間: 2010-10-5 04:08

Korean:
211.215.19.242

Hostname:    211.215.19.242
ISP:    Hanaro Telecom, Inc.
Organization:    Hanaro Telecom, Inc.
Proxy:    None detected
Type:    Broadband
Assignment:    Static IP
作者: ckleea    時間: 2010-10-6 06:36

本帖最後由 ckleea 於 2010-10-6 06:47 編輯

another IP 79.114.199.69
Already in my asterisk and try 2 numbers.



IP         :        79.114.199.69              Neighborhood
Host         :        79-114-199-69.dynamic.brasov.rdsnet.ro    Not OK
Country         :        Romania  


    Address information
Please wait...
    Related IP addresses
Please wait...
    IP owner info (Whois)
Please wait...
    Domain owner info (Whois / Abuse)
Please wait...
    Conversions (IPv4 / IPv6)
Please wait...
    Ping
Please wait...
作者: ckleea    時間: 2010-10-6 06:50

They to dial     900185099930593 and 001263912797847
作者: 角色    時間: 2010-10-6 07:50

自从我用了
sip.conf

alwaysauthreject=yes

和不能从外面用port 22进入我的Asterisk系统后,整个系统都没有被attacked 过,大家可以考虑。

角色
作者: ckleea    時間: 2010-10-6 09:00

I have this already alwaysauthreject=yes
作者: 電腦超人    時間: 2010-10-7 18:42

經過3天多後...來自山東的那位也放棄了...

因為我在Firewall block了它的IP...
莫說是asterisk...請先過了Linux Firewall那一關吧(總好過沒有吧~)
作者: 角色    時間: 2010-10-7 18:58

如果有Firewall会更加好,如果没有Asterisk server settings也要注意。

角色
作者: 電腦超人    時間: 2010-10-7 20:54

當然Asterisk要先設定好...
因為Firewall可以block的只可以在事發後......
作者: 電腦超人    時間: 2010-10-20 01:09

今天我的asterisk又有人企圖入侵了...
這次是德國...
(而且還看到host是這個...srv-bg07.sicor.net)

IP Address         86.110.67.42
Host         srv-bg07.sicor.net
Location         DE DE, Germany
City         Grönenbach, 02 -
Organization         SICOR GmbH
ISP         Trusted Network
AS Number         AS21385 Trusted Network GmbH
Latitude         47°88'33" North
Longitude         10°21'67" East
Distance         1174.47 km (729.78 miles)
作者: 角色    時間: 2010-10-20 07:44

你把你的port 22改成比的port number看看是否有好转?

角色
作者: 電腦超人    時間: 2010-10-20 11:51

你把你的port 22改成比的port number看看是否有好转?

角色
角色 發表於 2010-10-20 07:44

它好像是attac我的asterisk...
不斷retry login我的6001帳號...
作者: 角色    時間: 2010-10-20 16:39

你是否有set alwaysauthreject=yes? (应该是default的)

角色
作者: 電腦超人    時間: 2010-10-20 17:56

你是否有set alwaysauthreject=yes? (应该是default的)

角色
角色 發表於 2010-10-20 16:39

剛剛set了...
我的default好像是no...
作者: 角色    時間: 2010-10-20 21:48

不是default=yes,我晕!!!!希望有所改善。

角色
作者: ckleea    時間: 2010-10-20 22:00

Default in switchfin firmware
allowauthreject = yes
  1. Global Settings:
  2. ----------------
  3.   SIP Port:               5060
  4.   Bindaddress:            0.0.0.0
  5.   Videosupport:           No
  6.   AutoCreatePeer:         No
  7.   Allow unknown access:   No
  8.   Allow subscriptions:    Yes
  9.   Allow overlap dialing:  Yes
  10.   Promsic. redir:         No
  11.   SIP domain support:     No
  12.   Call to non-local dom.: Yes
  13.   URI user is phone no:   No
  14.   Our auth realm          Realm
  15.   Realm. auth:            No
  16.   Always auth rejects:    Yes
  17.   Call limit peers only:  No
  18.   Direct RTP setup:       No
  19.   User Agent:             SwitchFin PBX
  20.   MWI checking interval:  10 secs
  21.   Reg. context:           (not set)
  22.   Caller ID:              asterisk
  23.   From: Domain:           
  24.   Record SIP history:     Off
  25.   Call Events:            Off
  26.   IP ToS SIP:             none
  27.   IP ToS RTP audio:       EF
  28.   IP ToS RTP video:       CS3
  29.   T38 fax pt UDPTL:       No
  30.   RFC2833 Compensation:   No
  31.   SIP realtime:           Disabled

  33. Global Signalling Settings:
  34. ---------------------------
  35.   Codecs:                 0x10e (gsm|ulaw|alaw|g729)
  36.   Codec Order:            alaw:20,ulaw:20,gsm:20,g729:20
  37.   T1 minimum:             100
  38.   No premature media:     No
  39.   Relax DTMF:             No
  40.   Compact SIP headers:    No
  41.   RTP Keepalive:          0 (Disabled)
  42.   RTP Timeout:            0 (Disabled)
  43.   RTP Hold Timeout:       0 (Disabled)
  44.   MWI NOTIFY mime type:   application/simple-message-summary
  45.   DNS SRV lookup:         Yes
  46.   Pedantic SIP support:   No
  47.   Reg. min duration       60 secs
  48.   Reg. max duration:      3600 secs
  49.   Reg. default duration:  120 secs
  50.   Outbound reg. timeout:  20 secs
  51.   Outbound reg. attempts: 0
  52.   Notify ringing state:   Yes
  53.   Notify hold state:      No
  54.   SIP Transfer mode:      open
  55.   Max Call Bitrate:       384 kbps
  56.   Auto-Framing:           No

  58. Default Settings:
  59. -----------------
  60.   Context:                default
  61.   Nat:                    Always
  62.   DTMF:                   rfc2833
  63.   Qualify:                2000
  64.   Use ClientCode:         No
  65.   Progress inband:        Never
  66.   Language:               (Defaults to English)
  67.   MOH Interpret:          default
  68.   MOH Suggest:            
  69.   Voice Mail Extension:   asterisk
複製代碼
作者: bubblestar    時間: 2010-10-27 11:10

本帖最後由 bubblestar 於 2010-10-27 11:16 編輯

Securing Asterisk

"The Asterisk source contains a very important file named SECURITY, which outlines several steps you should take to keep your Asterisk systemsecure. It is vitally important that you read and understand this file. If you ignore the security precautions outlined there, you may end up allowing anyone and everyone to make long-distance or toll calls at your expense!"
  1. Create a user account that will be used to run Asterisk: adduser --system --no-create-home --home /var/lib/asterisk --shell /bin/false asterisk
  2. vim /etc/init.d/asterisk

  4. #Uncomment those lines
  5. AST_USER="asterisk"
  6. AST_GROUP="asterisk"
  7.   
  8. mkdir /var/run/asterisk
  9. chown asterisk.asterisk /var/run/asterisk  
  10. vim /etc/asterisk/asterisk.conf

  12. astrundir => /var/run/asterisk
  13.   
  14. chown -R asterisk.asterisk /etc/asterisk
  15. chown -R asterisk.asterisk /usr/lib/asterisk
  16. chown -R asterisk.asterisk /var/log/asterisk
  17. chown -R asterisk.asterisk /var/spool/asterisk
  18. chown -R asterisk.asterisk /var/lib/asterisk
  19. chown -R asterisk.asterisk /dev/zap/pseudo
  20. Launch Asterisk in debug mode to check that it loads OK:

  22. asterisk -U asterisk -G asterisk -cvv
  23.   
  24. CTRL-C to close
複製代碼
該網站說這個調教對ATERISK 的保安是非常重要,說不可不知,但不知是否真的有效,信者不妨一試。
作者: ckleea    時間: 2014-3-15 21:13

最近一批黑客 ip addresses
  1. iptables -A INPUT -s  220.177.198.0/24 -j DROP
  2. iptables -A INPUT -s  116.10.191.0/24 -j DROP
  3. iptables -A INPUT -s  119.39.124.0/24 -j DROP
  4. iptables -A INPUT -s  61.174.51.0/24 -j DROP
  5. iptables -A INPUT -s  67.222.1.0/24 -j DROP
  6. iptables -A INPUT -s  190.14.159.0/24 -j DROP
  7. iptables -A INPUT -s  222.186.38.0/24 -j DROP
  8. iptables -A INPUT -s  190.14.159.0/24 -j DROP
  9. iptables -A INPUT -s  1.93.34.0/24 -j DROP
  10. iptables -A INPUT -s  66.135.55.0/24 -j DROP
  11. iptables -A INPUT -s  222.186.38.0/24 -j DROP
  12. iptables -A INPUT -s  211.157.179.0/24 -j DROP
  13. iptables -A INPUT -s  61.147.103.0/24 -j DROP
  14. iptables -A INPUT -s  115.239.248..0/24 -j DROP
  15. iptables -A INPUT -s  1.93.24.0/24 -j DROP
  16. iptables -A INPUT -s  42.62.17.0/24 -j DROP
  17. iptables -A INPUT -s  220.177.198.0/24 -j DROP
  18. iptables -A INPUT -s  87.106.49.0/24 -j DROP
  19. iptables -A INPUT -s  123.125.8.0/24 -j DROP
  20. iptables -A INPUT -s  61.136.171.0/24 -j DROP
複製代碼
作者: harold    時間: 2017-4-1 13:12

係咪同fail2ban 同一功能架。。



歡迎光臨 電訊茶室 (http://www.telecom-cafe.com/forum/) Powered by Discuz! 7.2