Asterisk SIP attacks and sshguard

Home » Asterisk Users » Asterisk SIP attacks and sshguard
Asterisk Users 7 Comments

Hello,

We had been seeing SIP-guessing attacks on our Asterisk server here.

While it wasn’t that hard to write a once-a-minute cron job to spank
the lusers, that runs once a minute and creates little spikes in the
usage and I/O graphs, and is slower to respond than I’d really prefer.
I felt that it’d be much cooler to get something more comprehensive
put together. We don’t use fail2ban because I don’t like having to
install python.

sshguard is a high-performance compiled C application that can run
off a log file or a pipe from syslogd to sshguard, meaning that it
can respond a lot more quickly than once a minute, and works with
very modest overhead on the host system. It also has features such
as touchiness, so that it can get tougher on a miscreant as time goes
on; my own shell script is naive in that once it passes a threshold,
there’s just a permanent rule generated. This worries me if I ever
have a situation where a legitimate remote client gets messed up and
tries the wrong password or something like that; sshguard does a much
nicer job in this regard.

In any case, my initial attempts to create rules for sshguard didn’t
work right, quite possibly because I don’t often work in LEX/YACC.
I submitted a request to the sshguard guys suggesting new rules.

http://www.sshguard.net/support/submission/detail/49ce7182028d8b6f3e3d/

and on their mailing list, a little more:

http://sourceforge.net/mailarchive/forum.php?thread_name=F4E10075-5D93-43B4-B73A-1FD217BE130D%40sshguard.net&forum_name=sshguard-users

In particular, they’re looking for log examples of some of those
messages, but I have no idea how to generate the conditions that would
cause these messages. I’m also not sure if there’s a way to disable
color codes in the Asterisk log files; we log indirectly via BSD’s
“logger”

# asterisk -vvv 2>&1 | logger -t asterisk

so it may be thinking that the console is color-capable. We use this
method because this forces them through the syslog mechanism; we need
that for centralized logging, and it’s handy for things like sshguard
too.

Specifically looking for examples of (or how to generate)

1) .*No registration for peer ‘.*’ (from )
2) .*Host failed MD5 authentication for ‘.*’ (.*)
3) .*Failed to authenticate user .*@.*

If anyone who is more familiar with the attacks or how to generate
these messages would give me some assistance, or chime in on the
sshguard-users list, that’d be most appreciated.

Thanks.

… JG

7 thoughts on - Asterisk SIP attacks and sshguard

  • I do not have log examples to provide but do have info about other issues.

    There is a nocolor option in asterisk.conf that can turn off color.

    logger.conf has a provision to use syslog directly.

  • For a while, I had been using a cron job that used perl to examine logs
    and ban ip. I shared the solution at http://bit.ly/cDHlLq.

    As attacks increased, I find the following very very good for asterisk
    stand alone solutions:

  • I’m not sure if this is the log entry you are looking for. I had many of these last
    night.

    [Dec 9 06:47:51] NOTICE[5630]: chan_sip.c:15593 handle_request_register:
    Registration from ‘”106″ ‘ failed for ‘121.11.158.174’ –
    Wrong password

    If you need more information from this Asterisk box let me know. I need to find a
    way to block these also.

    Gary

    On 9 Dec 2010 at 7:57, Joe (Joe Greco ) commented
    about [asterisk-users] Asterisk SIP attac:

  • Yeah, why not? All the criminals on the internet are using it, too! ;^)

    I’m seeing 1-4 scans per day on the average. And it’s pretty clearly
    svwar & friends. A total lack of imagination. A bunch of script kiddies.

    murf

  • Those tools don’t seem to generate (or I can’t figure out how to get
    them to generate) any of the above messages; I already have plenty
    of the

    Registration from ‘foo’ failed for ‘host’ – reason

    messages that sipvicious seems to generate. I’m not quite sure what
    to do to generate examples of the above messages, any suggestions
    are appreciated.

    … JG