Am I Being Hacked?

Home » Asterisk Users » Am I Being Hacked?
Asterisk Users 16 Comments

Hello Asterisk-users,

[2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c:
Failed to authenticate device 390;tag=2762c06e
[2013-08-18 05:56:34] NOTICE[17089][C-000000a9] chan_sip.c:
Failed to authenticate device 390;tag=7b909220

I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own IP. How do I figure out where this attempt is coming from so I can block it.

— Ira

16 thoughts on - Am I Being Hacked?

  • Hello Steve,

    Sunday, August 18, 2013, 3:35:54 PM, you wrote:

    390 is not, nor has it ever been an extension on my box. I’ve gotten the same message for numerous extensions, sometimes 100-200 inclusive, usually multiple times as if they are trying multiple passwords. I’m sure that no one will ever guess an extension or password on my box that way so I’m not worried, I’ve blocked most of the IPs that my box doesn’t use and it’s been a long time since I’ve seen any outside attempts to register. But in the recent past I’ve been seeing these where I’ve no clue what IP to block as the entries, sip:390@xx.xx.xxx.xxx, always contains an invalid extension and my cable modem’s IP address.

    xx.xx.xxx.xxx is my public I.P.

    I searched Google and found no mention of my specific error.

    — Ira

  • he, some bad boys trying to guess configured extensions. in sip config in general set alwaysauthreject = yes . in cli sip set debug on and watch ip and block in firewall, iptables.

  • >> [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c:
    >> Failed to authenticate device 390;tag’62c06e
    >>
    >> I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own
    >> IP. How do I figure out where this attempt is coming from so I can
    >> block it.

    > Any chance ‘390’ is a legitimate (but mis-configured or obsolete) device
    > on your network?

    > Is xx.xx.xxx.xxx a private or public address?

    > Can you ‘wireshark’ some packets and see if the OUI matches one of your
    > endpoints?

    390 is not, nor has it ever been an extension on my box. I’ve gotten the same message for numerous extensions, sometimes 100-200 inclusive, usually multiple times as if they are trying multiple passwords. I’m sure that no one will ever guess an extension or password on my box that way so I’m not worried, I’ve blocked most of the IPs that my box doesn’t use and it’s been a long time since I’ve seen any outside attempts to register. But in the recent past I’ve been seeing these where I’ve no clue what IP to block as the entries, sip:390@xx.xx.xxx.xxx, always contains an invalid extension and my cable modem’s IP address.

    xx.xx.xxx.xxx is my public I.P.

    I searched Google and found no mention of my specific error.

    — Ira

  • They are sending requests from his own public ip huh? Trade secrets…. Hmmmm, IPTaibles, Fail2Ban (as a preventative), there is something I am missing…. What the f is it called again? Oh yeah Pike!!!

    I don’t know about that…. However, using the mac address of the device as the `sipbuddies.name`, and having `sipbuddies.secret` other than `12345a`
    ;), I would say yes too.

    source IP when a device or hacker tries sending a call >> without registering. The rejection message in the logs do not show the IP of the attacker. Yes it sucks, yes it has

    Does not good if the address is spoofed as it seems is the case here. IPTables, class c filter rule buy yourself a burger or a slice…

    Be strong my legit brotherins!!!

    N.

  • Are you aware of a patch that would show the source IP in the console and logs?

    Regards, Patrick

  • Agree. The ip blocks from ipdeny.com come in handy either blocking countries that have no business accessing your Asterisk box or whitelisting countries/ip ranges that do.

    Regards, Patrick

  • Actually, you can try enabling the “security” logging destination in logger.conf. I believe that may contain the info, but it is new in Asterisk 11. 1.8 and earlier does not have this.

    —–Original Message—

  • Hello Steve,

    Monday, August 19, 2013, 11:55:54 AM, you wrote:

    I have blocked almost all the IPs except the very few I care about. I’m not that good at iptables, but I did block at least

    I guess I need to change it to something like:

    Allow x alloy y allow z allow local block all

    One of my concerns was what happens if my provider hands off the RTP stream to a blocked address? It’s a small Atom box with 6 phones, 6 or 8 numbers and two users. it’s behind NAT and the internet is Time Warner Cable.

    Long ago I changed all my extensions to non numeric 40 character or so things with similar passwords. The only weak spot might be the connections to my brother-in-law’s TrixBox box across the country and that’s because he doesn’t believe in secure passwords. I’ve tried, but it’s just not worth the effort.

    — Ira

  • #!/bin/bash IPTABLES=’/sbin/iptables’

    #Set interface values INTIF1=’eth0′

    # Set Limits LIMIT=”2/sec”
    LOGLIMIT=”5/min”
    LIMITBURST=”5″

    #flush rules and delete chains
    $IPTABLES -F
    $IPTABLES -X

    #echo -e ” – Dropping Forward Requests”
    $IPTABLES -P FORWARD DROP

    #echo -e ” – Dropping Input Requests”
    $IPTABLES -P INPUT DROP

    #echo -e ” – Dropping output requests”
    $IPTABLES -P OUTPUT DROP

    #echo -e ” – Accepting input lo traffic”
    $IPTABLES -A INPUT -i lo -j ACCEPT

    #echo -e ” – Accepting output lo traffic”
    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    #echo -e ” – Defined Chains”
    $IPTABLES -N ICMP
    $IPTABLES -N TCP
    $IPTABLES -N UDP
    $IPTABLES -N LOGINPUT
    $IPTABLES -N LOGOUTPUT

    #echo -e ” – Accepting incoming SIP Traffic”
    $IPTABLES -A UDP -p udp -m udp -s –sport 5060 -d
    –dport 5060 -j ACCEPT
    $IPTABLES -A UDP -p udp -m udp -s

    #echo -e ” – Accepting outgoing SIP Traffic”
    $IPTABLES -A UDP -p udp -m udp -s –sport 5060 -d
    –dport 5060 -j ACCEPT
    $IPTABLES -A UDP -p udp -m udp -s –sport 5060 -d

    RTP Traffic *may* or *may* not come from the same server as the SIP
    messages. It also *may* or *may not* come from the server provider’s net mask or an underline either way, until you have determined this:

    #echo -e ” – Accepting incomming RTP Traffic”
    $IPTABLES -A UDP -p udp -m udp –dport 8000:65000 -j ACCEPT
    # $IPTABLES -A UDP -p udp -m udp -d –dport
    8000:65000 -j ACCEPT
    # $IPTABLES -A UDP -p udp -m udp -s -d
    –dport 8000:65000 -j ACCEPT
    # $IPTABLES -A UDP -p udp -m udp -s

    #echo -e ” – Accepting outgoing RTP Traffic”
    $IPTABLES -A UDP -p udp -m udp –sport 8000:65000 -j ACCEPT
    # $IPTABLES -A UDP -p udp -m udp -s –sport
    8000:65000 -j ACCEPT
    # $IPTABLES -A UDP -p udp -m udp -s
    -d
    –dport 8000:65000 -j ACCEPT
    # $IPTABLES -A UDP -p udp -m udp -s -d

    #echo -e ” – Accepting input ICMP, TCP, and UDP traffic to open ports”
    $IPTABLES -A INPUT -i $INTIF1 -p icmp -j ICMP
    $IPTABLES -A INPUT -i $INTIF1 -p tcp -j TCP
    $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP

    #echo -e ” – Accepting output ICMP, TCP, and UDP traffic to open ports”
    $IPTABLES -A OUTPUT -o $INTIF1 -p icmp -j ICMP
    $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j TCP
    $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP

    #echo -e ” – Logging Dropped Input Traffic”
    $IPTABLES -A LOGINPUT -i $INTIF1 -p icmp -m limit –limit $LOGLIMIT
    –limit-burst $LIMITBURST -j LOG –log-prefix “ICMP LOGINPUTDROP: ”
    –log-tcp-options –log-i$
    $IPTABLES -A LOGINPUT -i $INTIF1 -p tcp –tcp-flags FIN,SYN,RST,ACK
    SYN -m limit –limit $LOGLIMIT –limit-burst $LIMITBURST -j LOG
    –log-prefix “TCP LOGINPUTDRO$
    $IPTABLES -A LOGINPUT -i $INTIF1 -p udp -m limit –limit $LOGLIMIT
    –limit-burst $LIMITBURST -j LOG –log-prefix “UDP LOGINPUTDROP: ”
    –log-tcp-options –log-ip-$
    $IPTABLES -A LOGINPUT -i $INTIF1 -f -m limit –limit $LOGLIMIT
    –limit-burst $LIMITBURST -j LOG –log-prefix “FRAGMENT LOGINPUTDROP:
    ” –log-tcp-options –log-ip$
    $IPTABLES -A LOGINPUT -j DROP

    $IPTABLES -A INPUT -p icmp -i $INTIF1 -j LOGINPUT
    $IPTABLES -A INPUT -p tcp -i $INTIF1 -j LOGINPUT
    $IPTABLES -A INPUT -p udp -i $INTIF1 -j LOGINPUT

    #echo -e ” – Logging Dropped Output Traffic”
    $IPTABLES -A LOGOUTPUT -o $INTIF1 -p icmp -m limit –limit $LOGLIMIT
    –limit-burst $LIMITBURST -j LOG –log-prefix “ICMP LOGOUTPUTDROP: ”
    –log-tcp-options –log$
    $IPTABLES -A LOGOUTPUT -o $INTIF1 -p tcp –tcp-flags FIN,SYN,RST,ACK
    SYN -m limit –limit $LOGLIMIT –limit-burst $LIMITBURST -j LOG
    –log-prefix “TCP LOGOUTPUTD$
    $IPTABLES -A LOGOUTPUT -o $INTIF1 -p udp -m limit –limit $LOGLIMIT
    –limit-burst $LIMITBURST -j LOG –log-prefix “UDP LOGOUTPUTDROP: ”
    –log-tcp-options –log-i$
    $IPTABLES -A LOGOUTPUT -o $INTIF1 -f -m limit –limit $LOGLIMIT
    –limit-burst $LIMITBURST -j LOG –log-prefix “FRAGMENT LOGOUTPUTDROP:
    ” –log-tcp-options –log-$
    $IPTABLES -A LOGOUTPUT -j DROP

    $IPTABLES -A OUTPUT -p icmp -o $INTIF1 -j LOGOUTPUT
    $IPTABLES -A OUTPUT -p tcp -o $INTIF1 -j LOGOUTPUT
    $IPTABLES -A OUTPUT -p udp -o $INTIF1 -j LOGOUTPUT

    #echo -e ” – Rejecting input TCP and UDP traffic to closed ports”
    $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT –reject-with tcp-rst
    $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT –reject-with icmp-port-unreachable

    #echo -e ” – Rejecting output TCP and UDP traffic to closed ports”
    $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT –reject-with tcp-rst
    $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT –reject-with icmp-port-unreachable

    #echo -e ” – Rejecting input traffic to remaining protocols sent to closed ports”
    $IPTABLES -A INPUT -i $INTIF1 -j REJECT –reject-with icmp-proto-unreachable

    #echo -e ” – Rejecting output traffic to remaining protocols sent to closed ports”
    $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT –reject-with icmp-proto-unreachable

    #echo -e ” – Rejecting output traffic to remaining protocols sent to closed ports”
    $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT –reject-with icmp-proto-unreachable

    Thank you come again,

    Nick from Toronto

  • I do something like this:

    1. turn up the logging
    2. add foo like this in my dial plan:

    exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to
    ${EXTEN})
    exten => _.,n,Log(NOTICE,”Anonymous peer IP: ${CHANNEL(peerip)}”)
    exten => _.,n,Set(DID=${IF($[“${EXTEN:1:2}”=””]?s:${EXTEN})})
    exten => _.,n,Goto(s,1)

    3. do some bar like this in my fail2ban filter:

    VERBOSE.*SIP/-.*Received incoming SIP connection from unknown peer VERBOSE.* logger.c: — .*IP/-.* Playing ‘ss-noservice’ (language ‘.*’)
    NOTICE.* .*: “Anonymous peer IP:

    NOTICE.* .*: Failed to authenticate device .*\s?\\>.*

    and that handles most of the hacking attempts I see on my system. I think it may be possible for the second line to catch some false matches, but I
    have not seen any issues with our system thus far.

    Kind Regards, Chris

    PS. Feel free to comment on what is wrong with this and be sure to include the right way to do it. 🙂

  • Nitpick: it was a new feature in Asterisk 10.

    (Just in case someone is still running that version…)