Stopping Unwanted Attempts
I see MANY of these in my log files:
[Jan 15 03:06:12] NOTICE[14129] chan_sip.c: Registration from ‘”202″
[Jan 15 03:06:19] NOTICE[14129] chan_sip.c: Registration from ‘”5001″
[Jan 15 03:06:23] NOTICE[14129] chan_sip.c: Registration from ‘”30″
[Jan 15 03:06:48] NOTICE[14129] chan_sip.c: Registration from ‘”70″
[Jan 15 03:06:50] NOTICE[14129][C-00000085] chan_sip.c: Call from ” (
8.33.7.110:5103) to extension ‘889011972592735467’ rejected because extension not found in context ‘default’.
[Jan 15 03:06:56] NOTICE[14129] chan_sip.c: Registration from ‘”4″
failed for ‘37.8.12.147:21272’ – Wrong password
[Jan 15 03:07:11] NOTICE[14129] chan_sip.c: Registration from ‘”12001″
[Jan 15 03:34:02] NOTICE[14129][C-00000086] chan_sip.c: Call from ” (
172.246.236.90:5078) to extension ‘8889011972595301123’ rejected because extension not found in context ‘default’.
What is the “correct” way to block these idiots so they don’t even get this far.
Thanks,
Jerry
11 thoughts on - Stopping Unwanted Attempts
RmFpbDJiYW4gd29ya3Mgd2VsbCBvdGhlcndpc2UgeW91IGNhbiB3cml0ZSB5b3VyIG93biBzY3Jp cHQgaW0gYmFzaCBvciBwZXJsIHRvIGJsb2NrIHRoZW0gaW4gaXB0YWJsZXMKCgpSZWdhcmRzCkFu ZHJldyBDb2xpbi1tb2JpbGUKVnNhdmUoUFRZKUx0ZAoKCgotLS0tLS0tLSBPcmlnaW5hbCBtZXNz YWdlIC0tLS0tLS0tCkZyb206IEplcnJ5IEdlaXMgPGdlaXNqQHBhZ2VzdGF0aW9uLmNvbT4gCkRh dGU6MTgvMDEvMjAxNCAgMTA6NTkgUE0gIChHTVQrMDI6MDApIApUbzogYXN0ZXJpc2stdXNlcnNA
bGlzdHMuZGlnaXVtLmNvbSAKU3ViamVjdDogW2FzdGVyaXNrLXVzZXJzXSBzdG9wcGluZyB1bndh bnRlZCBhdHRlbXB0cyAKCkkgc2VlIE1BTlkgb2YgdGhlc2UgaW4gbXkgbG9nIGZpbGVzOgoKCltK
YW4gMTUgMDM6MDY6MTJdIE5PVElDRVsxNDEyOV0gY2hhbl9zaXAuYzogUmVnaXN0cmF0aW9uIGZy b20gJyIyMDIiIDxzaXA6MjAyQFg6NTA2MD4nIGZhaWxlZCBmb3IgJzM3LjguMTIuMTQ3OjI2ODMy JyAtIFdyb25nIHBhc3N3b3JkCltKYW4gMTUgMDM6MDY6MTldIE5PVElDRVsxNDEyOV0gY2hhbl9z aXAuYzogUmVnaXN0cmF0aW9uIGZyb20gJyI1MDAxIiA8c2lwOjUwMDFAWDo1MDYwPicgZmFpbGVk IGZvciAnMzcuOC4xMi4xNDc6MjEyNjgnIC0gV3JvbmcgcGFzc3dvcmQKW0phbiAxNSAwMzowNjoy M10gTk9USUNFWzE0MTI5XSBjaGFuX3NpcC5jOiBSZWdpc3RyYXRpb24gZnJvbSAnIjMwIiA8c2lw OjMwQFg6NTA2MD4nIGZhaWxlZCBmb3IgJzM3LjguMTIuMTQ3OjIxMjcwJyAtIFdyb25nIHBhc3N3
b3JkCltKYW4gMTUgMDM6MDY6NDhdIE5PVElDRVsxNDEyOV0gY2hhbl9zaXAuYzogUmVnaXN0cmF0
aW9uIGZyb20gJyI3MCIgPHNpcDo3MEBYOjUwNjA+JyBmYWlsZWQgZm9yICczNy44LjEyLjE0Nzoy MTMyOCcgLSBXcm9uZyBwYXNzd29yZApbSmFuIDE1IDAzOjA2OjUwXSBOT1RJQ0VbMTQxMjldW0Mt MDAwMDAwODVdIGNoYW5fc2lwLmM6IENhbGwgZnJvbSAnJyAoOC4zMy43LjExMDo1MTAzKSB0byBl eHRlbnNpb24gJzg4OTAxMTk3MjU5MjczNTQ2NycgcmVqZWN0ZWQgYmVjYXVzZSBleHRlbnNpb24g bm90IGZvdW5kIGluIGNvbnRleHQgJ2RlZmF1bHQnLgpbSmFuIDE1IDAzOjA2OjU2XSBOT1RJQ0Vb MTQxMjldIGNoYW5fc2lwLmM6IFJlZ2lzdHJhdGlvbiBmcm9tICciNCIgPHNpcDo0QFg6NTA2MD4n IGZhaWxlZCBmb3IgJzM3LjguMTIuMTQ3OjIxMjcyJyAtIFdyb25nIHBhc3N3b3JkCltKYW4gMTUg MDM6MDc6MTFdIE5PVElDRVsxNDEyOV0gY2hhbl9zaXAuYzogUmVnaXN0cmF0aW9uIGZyb20gJyIx MjAwMSIgPHNpcDoxMjAwMUBYOjUwNjA+JyBmYWlsZWQgZm9yICczNy44LjEyLjE0Nzo1MDYwJyAt IFdyb25nIHBhc3N3b3JkCltKYW4gMTUgMDM6MzQ6MDJdIE5PVElDRVsxNDEyOV1bQy0wMDAwMDA4
Nl0gY2hhbl9zaXAuYzogQ2FsbCBmcm9tICcnICgxNzIuMjQ2LjIzNi45MDo1MDc4KSB0byBleHRl bnNpb24gJzg4ODkwMTE5NzI1OTUzMDExMjMnIHJlamVjdGVkIGJlY2F1c2UgZXh0ZW5zaW9uIG5v dCBmb3VuZCBpbiBjb250ZXh0ICdkZWZhdWx0Jy4KCldoYXQgaXMgdGhlICJjb3JyZWN0IiB3YXkg dG8gYmxvY2sgdGhlc2UgaWRpb3RzIHNvIHRoZXkKZG9uJ3QgZXZlbiBnZXQgdGhpcyBmYXIuCgpU
aGFua3MsCgpKZXJyeQoK
Use iptables to allow packets from your legitimate users, block everybody else.
If you are dealing with a mobile user base or an extensive geographic area, at least block the countries where you do not expect traffic
I see a problem here; firstly that it is no longer so simple to determine the IP ranges of countries. Things have been fractured quite a bit; you might have to hire out a service to determine true geographic origination. Even then, if your service is a little behind, you might occasionally feel the displeasure of users unable to talk to your servers. How will you handle this, with a white-list? How much effort will you end up committing to keeping your whitelist up to date?
Nextly, the well-financed operations running such probes need not use machines in their native countries. There are plenty of US-based machines that can be ( and are ) compromised.
In other words, don’t forget the fail2ban part!
Here’s another idea! How about changing your port from 5060 to something different, maybe 7067 or some other number that is not popularly being used?
You’ll provision your phones to use this port, and the scanners will not find you. Seems a much simpler solution… but there are some drawbacks… can anyone think of them? And will these drawbacks matter to you? And, given this solution, will the odds that a scanner might find your machine be so low, that it is not worth using something like fail2ban to override them? Food for thought!
murf
fail2ban is so easy to set up, there is no reason not to set it up.
The geography problems are not so bad unless you have phones all over the world or people travelling with softphones to countries that you want to block.
It does not block incoming calls only people who want to mimic your own legitimate phones.
Ron
Changing from 5060 is very effective. Sure, someone with the knowledge could try all the ports IF they know you are even running SIP, but it certainly will stop most of these idiots .
That along with fail2ban, not using numbers for device user names all will help.
Using IAX where possible also can be very effective
John Novack Steve Murphy wrote:
One of the dangers with fail2ban – at least in its default configuration
– is that a legitimate SIP phone with an incorrect password can quite easily send dozens of registration attempts in a couple of minutes, thus blocking that IP.
If your end users configure their own phones, you will have to factor in the increased support burden when users complain that their phones
‘can’t connect’ and you need to manually unblock those IPs. This can be at least partially mitigated using fail2ban’s ‘ignoreip’ directive for IPs you know only your users will be connecting from.
If you’ve a large number of users, it might be worth splitting them across a pair of servers – one for ‘trusted’ users, i.e. where each SIP
endpoint is locked down to a specific IP (or at least a range), and you can configure your firewall to block SIP connection attempts from anything apart from that list; and one for ‘untrusted’ users, i.e. travelling users, home workers without static IPs, etc. on which you run fail2ban with a fairly ruthless set of rules/limits.
Unless you know that none of your users travel internationally, I’d be wary of imposing countrywide IP blocks, especially in this era of IP
shortage where IP space is being traded on the open market and GeoIP
databases may not always keep up to date.
Kind regards,
Chris
It is far worse when you have multiple phones behind the same public address (i.e. NAT). If any one of the phones has a bad password and the IP gets blocked by fail2ban, then all phones at that site would be blocked.
—–Original Message—
R2VvaXAgd29ya3Mgd2VsbCB0byBibG9jayBhbGwgY291bnRyaWVzIGV4Y2VwdCB5b3VyIG93bgoK
ClJlZ2FyZHMKQW5kcmV3IENvbGluLW1vYmlsZQpWc2F2ZShQVFkpTHRkCgoKCi0tLS0tLS0tIE9y aWdpbmFsIG1lc3NhZ2UgLS0tLS0tLS0KRnJvbTogRXJpYyBXaWVsaW5nIDxFV2llbGluZ0BueWln Yy5jb20+IApEYXRlOjE5LzAxLzIwMTQgIDg6NDAgUE0gIChHTVQrMDI6MDApIApUbzogQXN0ZXJp c2sgVXNlcnMgTWFpbGluZyBMaXN0IC0gTm9uLUNvbW1lcmNpYWwgRGlzY3Vzc2lvbiA8YXN0ZXJp c2stdXNlcnNAbGlzdHMuZGlnaXVtLmNvbT4gClN1YmplY3Q6IFJlOiBbYXN0ZXJpc2stdXNlcnNd IHN0b3BwaW5nIHVud2FudGVkIGF0dGVtcHRzIAoKCkl0IGlzIGZhciB3b3JzZSB3aGVuIHlvdSBo YXZlIG11bHRpcGxlIHBob25lcyBiZWhpbmQgdGhlIHNhbWUgcHVibGljIGFkZHJlc3MgKGkuZS4g TkFUKS7CoMKgwqAgSWYgYW55IG9uZSBvZiB0aGUgcGhvbmVzIGhhcyBhIGJhZCBwYXNzd29yZCBh bmQgdGhlIElQIGdldHMgYmxvY2tlZCBieSBmYWlsMmJhbiwgdGhlbiBhbGwgcGhvbmVzIGF0IHRo YXQgc2l0ZSB3b3VsZCBiZSBibG9ja2VkLiAKCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tCkZy b206IGFzdGVyaXNrLXVzZXJzLWJvdW5jZXNAbGlzdHMuZGlnaXVtLmNvbSBbbWFpbHRvOmFzdGVy aXNrLXVzZXJzLWJvdW5jZXNAbGlzdHMuZGlnaXVtLmNvbV0gT24gQmVoYWxmIE9mIENocmlzIEJh Z25hbGwKU2VudDogU3VuZGF5LCBKYW51YXJ5IDE5LCAyMDE0IDEwOjQwIEFNClRvOiBhc3Rlcmlz ay11c2Vyc0BsaXN0cy5kaWdpdW0uY29tClN1YmplY3Q6IFJlOiBbYXN0ZXJpc2stdXNlcnNdIHN0
b3BwaW5nIHVud2FudGVkIGF0dGVtcHRzCgpPbiAxOS8xLzE0IDI6NTcgcG0sIFJvbiBXaGVlbGVy IHdyb3RlOgo+IGZhaWwyYmFuIGlzIHNvIGVhc3kgdG8gc2V0IHVwLCB0aGVyZSBpcyBubyByZWFz b24gbm90IHRvIHNldCBpdCB1cC4KCk9uZSBvZiB0aGUgZGFuZ2VycyB3aXRoIGZhaWwyYmFuIC0g YXQgbGVhc3QgaW4gaXRzIGRlZmF1bHQgY29uZmlndXJhdGlvbgotIGlzIHRoYXQgYSBsZWdpdGlt YXRlIFNJUCBwaG9uZSB3aXRoIGFuIGluY29ycmVjdCBwYXNzd29yZCBjYW4gcXVpdGUgZWFzaWx5
IHNlbmQgZG96ZW5zIG9mIHJlZ2lzdHJhdGlvbiBhdHRlbXB0cyBpbiBhIGNvdXBsZSBvZiBtaW51
dGVzLCB0aHVzIGJsb2NraW5nIHRoYXQgSVAuCgoKLS0gCl9fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwotLSBCYW5kd2lk dGggYW5kIENvbG9jYXRpb24gUHJvdmlkZWQgYnkgaHR0cDovL3d3dy5hcGktZGlnaXRhbC5jb20g LS0KTmV3IHRvIEFzdGVyaXNrPyBKb2luIHVzIGZvciBhIGxpdmUgaW50cm9kdWN0b3J5IHdlYmlu YXIgZXZlcnkgVGh1cnM6CsKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgaHR0cDovL3d3dy5h c3Rlcmlzay5vcmcvaGVsbG8KCmFzdGVyaXNrLXVzZXJzIG1haWxpbmcgbGlzdApUbyBVTlNVQlND
UklCRSBvciB1cGRhdGUgb3B0aW9ucyB2aXNpdDoKwqDCoCBodHRwOi8vbGlzdHMuZGlnaXVtLmNv bS9tYWlsbWFuL2xpc3RpbmZvL2FzdGVyaXNrLXVzZXJzCg=
We don’t do residential service and require the few off-net customers to have a static IP. This makes using whitelists practical. That won’t work for most people though.
—–Original Message—
At this past year’s AstriCon there was a series of security talks that covered fail2ban and best practices. You can view the playlist of videos on YouTube. The content should be helpful for you:
https://www.youtube.com/playlist?list=PLighc-2vlRgT3DhE9DkIgSmpUX6v2AtYo
Links to the playlists are also on asterisk.org:
http://www.asterisk.org/community/astricon-user-conference/video-archive
Cheers, Billy Chia
We use this tactic. I never seen scanners in my logs anymore. Haven’t had any issues with it to date… we use Linksys, Polycom, Yealink, Grandstream, and Audiocodes products. All have the ability to specify the registration port.
Cheers,
j