23 jan 2009 kl. 22.36 skrev Christopher Gray: > Hello: > > Beginning on January 6, it appears that somebody has been trying to > hack into > my Asterisk. They have tried on the 7th, 9th, and the 20th. The > messages file > in /var/log/Asterisk shows entries like this: > > [Jan 20 13:39:40] NOTICE[5130] chan_sip.c: Registration from > '"1072963462"<sip:[email protected]>' failed for > '212.174.78.60' - No matching peer found > > [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from > '"100"<sip:[email protected]>' failed for '212.174.78.60' - No > matching peer found > > [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from > '"101"<sip:[email protected]>' failed for '212.174.78.60' - No > matching peer found > > [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from > '"102"<sip:[email protected]>' failed for '212.174.78.60' - No > matching peer found > > [Jan 20 13:39:41] NOTICE[5130] chan_sip.c: Registration from > '"103"<sip:[email protected]>' failed for '212.174.78.60' - No > matching peer found > > The sip:101 sip:102 and so on goes up until sip:9975. This began at > 13:39:40 > and ended at 13:42:51. Entries began at line 970 of the log file > and ended at > 8016 for a total of 7,041 occurrences. > > How worried should I be about this and what should I do to stop > further > attempts?
Attacks are never fun. Use the ACL (permit/deny) in sip.conf to block this IP or range of IPs at least. Or use IPtables. There are a lot of IPtables scripts to prevent this kind of attacks if you look at the solutions for the very common SSH attacks that keep testing multiple usernames. Maybe someone on the list has a version for SIP attempts over TCP and/or UDP? It's always good to have a bit less obvious peer names than the ones they test. Don't use usernames or extension numbers. Make sure you separate the namespaces. Kevin usually suggest Ethernet MAC addresses, which are harder to guess, but still relates to something even though they do have a well-known pattern. Finally, it's important to make sure you have good passwords. There's no reason to have simple passwords in something you only install in software in devices or applications. There's no user who has to learn to remember the MD5 auth secrets. That's my 10 cents. Please, list, fill in and correct me when wrong! /O _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-security mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-security
