Do a reverse lookup on your attacker. Then find their ISP. Then file an abuse complaint.
On Mon, Jun 30, 2008 at 12:15 PM, spectro <[EMAIL PROTECTED]> wrote: > Hello, yesterday one of the extensions on my asterisk server got > compromised by brute-force attack. The attacker used it to try pull an > identity theft scam playing a recording from a bank "your account has > been blocked due to unusual activity, please call this number..." > > Attacker managed to make lots of calls for around 8 hours before I > detected it and changed the password for that extension. As of this > morning it is still attempting to brute force the password for that > extension again. I need a way to block that IP from connecting to my > asterisk server, please advice. > > --- sip debug --- > Using INVITE request as basis request - > [EMAIL PROTECTED] > Sending to 74.52.112.162 : 5060 (NAT) > Found user '211' > Reliably Transmitting (NAT) to 74.52.112.162:5060: > SIP/2.0 403 Forbidden > Via: SIP/2.0/UDP > 74.52.112.162:5060;branch=z9hG4bK3b28fa36;received=74.52.112.162;rport=5060 > From: "ASLPLS" <sip:[EMAIL PROTECTED]>;tag=as130a4d39 > To: <sip:[EMAIL PROTECTED]>;tag=as0c69057b > Call-ID: [EMAIL PROTECTED] > CSeq: 103 INVITE > User-Agent: Asterisk PBX > llow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY > Contact: <sip:[EMAIL PROTECTED]> > Content-Length: 0 > --- sip debug --- > > That box is currently running Trixbox 1.2.3. I have iptables disabled. > If anybody can give me a simple ruleset that allows all traffic except > ip 74.52.112.162 to port 5060 I will really appreciate it. > > Are there mechanisms in Asterisk to detect and automatically block > these brute force attempts? > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > AstriCon 2008 - September 22 - 25 Phoenix, Arizona > Register Now: http://www.astricon.net > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
