Random Hackers - Are you prepared?

[marv]

Well today is the first time I've ever received a message about being hacked on my Asterisk box. Granted, I just run a small system and do pre-pay, so my losses are limited... Just thought I'd share this with everyone. Just shows you need to be smart when you setup systems... strong passwords, don't use the standard roll-out extensions, and of course... make sure fail2ban is installed and TEST that it works!
From a little research, it looks like the same group that uses the fake area code 923 making random calls and such...

[2009-05-29 07:37:18] NOTICE[4552] chan_sip.c: Registration from '"1923339344"<sip:[email protected]>' failed for '65.33.175.185' - No matching peer found
[2009-05-29 07:37:18] NOTICE[4552] chan_sip.c: Registration from '"1339102974"<sip:[email protected]>' failed for '65.33.175.185' - No matching peer found
[2009-05-29 07:37:18] NOTICE[4552] chan_sip.c: Registration from '"test"<sip:[email protected]>' failed for '65.33.175.185' - No matching peer found
[2009-05-29 07:37:18] NOTICE[4552] chan_sip.c: Registration from '"test123"<sip:[email protected]>' failed for '65.33.175.185' - No matching peer found
[2009-05-29 07:37:18] NOTICE[4552] chan_sip.c: Registration from '"test12"<sip:[email protected]>' failed for '65.33.175.185' - No matching peer found
[2009-05-29 07:37:18] NOTICE[4552] chan_sip.c: Registration from '"guest"<sip:[email protected]>' failed for '65.33.175.185' - No matching peer found
[2009-05-29 07:37:18] NOTICE[4552] chan_sip.c: Registration from '"100"<sip:[email protected]>' failed for '65.33.175.185' - No matching peer found
... 101 to 190 were tried too, but I shortened my paste to make it easier to read
[2009-05-29 07:37:21] NOTICE[4552] chan_sip.c: Registration from '"191"<sip:[email protected]>' failed for '65.33.175.185' - No matching peer found

 

[patrick_elx]

How fast did fail2ban reacted?
Seems that you had at least 200 attempts.

 

[marv]

Looks like 3 seconds from the log.
The fail2ban alert message is time stamped at the same time the last ~200th attempt was made.
The fail2ban message states it blocked them after 60 tries, but in reality it was around 200. I would assume this is the time it takes to implement the block.

My extensions are not the standard orgasmatron setup by Ward, and the passwords are complex. However, I may change the number of incorrect tries to something lower.
I'll just have to remember to never use a wrong password or learn the proper way to unblock it just in case!

 

[jroper]

Fail2Ban is a log parser, this means that the attempts have to be written to a log, and then that log inspected by Fail2Ban, then apply a firewall block

There will always be a delay or lag between the hit, and the resultant action, and the number of hits that can be made in that time is quite large from an automated system.

You may not be able to cut down the number of attempts before the firewall kicks in by very much.

Hence the requirement for secure passwords.

Joe

 

[patrick_elx]

I have the same kind of reactivity on my system. At the last attack the block started after around 150 attempts.

I think it's fair enough if you have good password.

Recently I had some other kind of attack. Flooded with incoming calls from "asterisk" <asterisk> from an asian IP. I don't know what's the goal: find extension number to prepare for an attack? find DISA (but no dtmf logged)? try some overflow error with asterisk?

 

[marv]

Oddly enough, I got targeted again this morning. From examining the logs, it's the same person, just a different server. The attack list is identical. This time it came from 216.245.200.115
Almost 500 attempts were made before being blocked. Once again it took about 3 seconds.
I hope people have their systems configured to deliver their alerts properly!

 

[wardmundy]

The provider of that IP is Limestone Networks in Dallas, TX. It should be reported to local authorities.

 

[marv]

Yeah, I sent them an email to their abuse account. But I doubt I'll ever get a response. If it happens again, I'll make phone calls.

What I am thinking about now is how to maybe setup a short text alert to my cell when this occurs.

 

[drmurdoch]

801 more secure than 701 ?

Well today is the first time I've ever received a message about being hacked on my Asterisk box. Granted, I just run a small system and do pre-pay, so my losses are limited... Just thought I'd share this with everyone. Just shows you need to be smart when you setup systems... strong passwords, don't use the standard roll-out extensions, and of course... make sure fail2ban is installed and TEST that it works!

Is EXT 701 the most common Asterisk Extension ?
if you started at 801 .. would that be more secure ?
Is fail2ban a part of an Orgasmatron II install ? (I am guessing not).
Good tips ! Thanks.

Update: The new Orgasmatron Installer has fail2ban as part of the standard install.

Also included are FreePBX 2.5, Apache, SendMail, MySQL, PHP, phpMyAdmin, IPtables Linux firewall, Fail2Ban, and WebMin.
source: http://nerdvittles.com/?p=600

 

[SpaethCo]

Oddly enough, I got targeted again this morning. From examining the logs, it's the same person, just a different server.

Probably not the same person, just the same scan script.

What I am thinking about now is how to maybe setup a short text alert to my cell when this occurs.

Do you really want a text message in the middle of the night every time a bored kid decides to run a scanning script?

The sequential scan of extension numbers is simply a fishing expedition. If you set "alwaysauthreject=yes" in sip_custom.conf they'll get a 401 Unauthorized response from every extension they try whether it is valid or not, so they won't know which extensions to go after.

Personally, I wouldn't worry about these things too much. fail2ban is shutting down the scan relatively early in the game, and given they're scanning the whole range they're not discovering which extensions to even attempt to target on your system.

If they start going after specific valid extensions on your Asterisk installation, then I would start to get more concerned.

 

[jehowe]

This isn't going to be for everyone, but going all IAX has significantly reduced attacks on my machines. At least until IAX becomes a more routine target.

The one machine I have with an open IAX port hasn't had any attacks since going onlne- three months ago. And if you don't need remote extensions, it's possible to run your PBX without opening any ports at the firewall- stealthing your PBX entirely.

 

[marv]

Thanks for the tip on alwaysauthreject=yes.
That's really something that should be included as part of the default security!

And you're right, I don't care to be woken up by script kiddies.

 

[angoyr]

SpaethCo,

Thanks for that tip. "alwaysauthreject=yes", I don't know why none of the experts mentioned that before or maybe I missed it. Is there an equivalent for IAX?
I think some folks are sitting around with a false sense of security by believing that Fail2Ban would kick in after X attempts. As Joe mentioned, Fail2Ban is a log parser, thus it would only check the log at whatever interval is set in "findtime". If you're lucky enough to have Fail2Ban kick in 2-3 seconds after the scan starts, you're blessed.

As I mentioned before, we need a more proactive approach to this security issue. We need an app. between asterisk and the user that would only allow X attempts, say 3-5 before blocking them. The "ignoreip" in Fail2Ban is a good idea to prevent you from blocking yourself, so no need to worry. Another approach would be to delay the response to a bad password for quite a few seconds, say 5. That should frustrate the Crackers to no end and make your extension password as long as possible. You don't have to enter it every day.

With all that said, I had another attack a few hours ago. Over 10K tries and Fail2Ban didn't check the log until minutes after they ran out of numbers to try.
Here is an excerpt of my log and email from Fail2Ban.

[2009-06-03 06:23:56] NOTICE[3544] chan_sip.c: Registration from '"568172445"<sip:[email protected]>' failed for '74.221.142.18' - No matching peer found
[2009-06-03 06:23:56] NOTICE[3544] chan_sip.c: Registration from '"1501199312"<sip:[email protected]>' failed for '74.221.142.18' - No matching peer found
[2009-06-03 06:23:56] NOTICE[3544] chan_sip.c: Registration from '"1"<sip:[email protected]>' failed for '74.221.142.18' - No matching peer found
[2009-06-03 06:23:56] NOTICE[3544] chan_sip.c: Registration from '"2"<sip:[email protected]>' failed for '74.221.142.18' - No matching peer found
[2009-06-03 06:23:56] NOTICE[3544] chan_sip.c: Registration from '"3"<sip:[email protected]>' failed for '74.221.142.18' - No matching peer found
Last 3 .....................
[2009-06-03 06:25:58] NOTICE[3544] chan_sip.c: Registration from '"9997"<sip:[email protected]>' failed for '74.221.142.18' - No matching peer found
[2009-06-03 06:25:58] NOTICE[3544] chan_sip.c: Registration from '"9998"<sip:[email protected]>' failed for '74.221.142.18' - No matching peer found
[2009-06-03 06:25:58] NOTICE[3544] chan_sip.c: Registration from '"9999"<sip:[email protected]>' failed for '74.221.142.18' - No matching peer found

Hello Fail2Ban Admin,

The IP 74.221.142.18 has just been banned by Fail2Ban after
10004 attempts against ASTERISK.


Here is more information about 74.221.142.18:

[Querying whois.arin.net]
[whois.arin.net]

OrgName:    Metrobridge Networks USA Corporation 
OrgID:      MNU-1
Address:    2600 N.Central Av
Address:    suite 906
City:       Phoenix
StateProv:  AZ
PostalCode: 85004
Country:    US

NetRange:   74.221.128.0 - 74.221.143.255 
CIDR:       74.221.128.0/20 
OriginAS:   AS33303

 

[blakekrone]

Just had attempts for extension 1 - 9999 from 216.245.200.107

Sent an email to their abuse department

Here are more information about 216.245.200.107:

[Querying whois.arin.net]
[Redirected to rwhois.limestonenetworks.com:4321]
[Querying rwhois.limestonenetworks.com]
[rwhois.limestonenetworks.com]
%rwhois V-1.5:003fff:00 localhost (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:LSN-BLK-216.245.192.0/19
network:Auth-Area:216.245.192.0/19
network:Network-Name:LSN-216.245.192.0/19
network:IP-Network:216.245.200.96/28
network:IP-Network-Block:216.245.200.96 - 216.245.200.111
network:Organization-Name:Kerplunc Hosting
network:Organization-City:Calgary
network:Organization-State:AB
network:Organization-Zip:T2V2L6
network:Organization-Country:CA
network:Tech-Contact;I:[email protected]
network:Admin-Contact;I:[email protected]
network:Updated-By:[email protected]

 

[Hat]

I have a question regarding alwaysauthreject=yes and sip_custom.conf. I am using the ip.sh script (not Ward's orginal) due to having a dynamic ip. This script completely rewrites the sip_custom.conf file every time my wan ip changes. Can I place the alwaysauthreject=yes line in sip_custom_post.conf file and achieve the same thing? As I understand it, any of the _custom.conf files do not get written over by FreePBX.

 

[angoyr]

Hat,
I still use sip_custom.conf. I changed ip.sh to write to sip_ip.conf and include it in sip_custom.conf as below.

#include additional_a2billing_sip.conf
#include sip_ip.conf
nat=yes
alwaysauthreject=yes
...
...

Hope this helps.

Robin A.

 

[Hat]

include it in sip.conf as below.

Did you mean sip_custom.conf? If you did, your way makes sense. If not, I thought altering sip.conf is a no-no.

 

[angoyr]

Hat,

You are absolutely correct. I meant sip_custom.conf. You don't touch sip.conf.

I corrected the post to to reflect what it should have been.

 

[Hat]

Robin,

Thanks for your help and input.

 

[SpaethCo]

Thanks for that tip. "alwaysauthreject=yes", I don't know why none of the experts mentioned that before or maybe I missed it.

This was mentioned in a Digium blog post a few weeks back about Asterisk security:

http://blogs.digium.com/2009/03/28/sip-security/

I'm pretty sure Ward made a comment about it here, but I can't seem to find the post at the moment.