gaijin
Guru
- Joined
- Nov 16, 2007
- Messages
- 170
- Reaction score
- 0
Hi, some of my customers are reporting "prank calls" from MeucciSolutions.
I have investigated and a simple google search reveals that this is a fairly common thing.
Has anyone else in the PIAF community had this?
The IP that sent the SIP attack is 93.190.143.10. and I have since blocked this at the firewall for affected customers.
I am not too stressed about it because I have always used secure passwords and very few SIP extensions that are permitted externally on my customer's boxes. And I am slowly getting rid of SIP trunks (removing the need for anon inbound SIP) and moving to IAX where possible. The customers that reported this are ones that I have allowed a anycid/anydid inbound route. (I have since found & implimented a workaround for the original reason I had this route in the first place)
My questions are:
1: Is there any form of common list, a bit like an SMTP RBL, for dodgy SIP hackers?
2: What could the hackers possibly achieve through this kind of port scanning? (are they simply just looking for IPs that respond on port 5060 to target later for a more targeted hacking attempt?)
3: Can I put a dyndns address (FQDN) in the permit field? I have some customers that wish to use remote SIP extensions from thier non static connections.
4: How hard would it be for some guru to write a macro that would "honeypot" an anycid/anydid attempt that then write that IP to a fail2ban, IP table rule or similar?
I have investigated and a simple google search reveals that this is a fairly common thing.
Has anyone else in the PIAF community had this?
The IP that sent the SIP attack is 93.190.143.10. and I have since blocked this at the firewall for affected customers.
I am not too stressed about it because I have always used secure passwords and very few SIP extensions that are permitted externally on my customer's boxes. And I am slowly getting rid of SIP trunks (removing the need for anon inbound SIP) and moving to IAX where possible. The customers that reported this are ones that I have allowed a anycid/anydid inbound route. (I have since found & implimented a workaround for the original reason I had this route in the first place)
My questions are:
1: Is there any form of common list, a bit like an SMTP RBL, for dodgy SIP hackers?
2: What could the hackers possibly achieve through this kind of port scanning? (are they simply just looking for IPs that respond on port 5060 to target later for a more targeted hacking attempt?)
3: Can I put a dyndns address (FQDN) in the permit field? I have some customers that wish to use remote SIP extensions from thier non static connections.
4: How hard would it be for some guru to write a macro that would "honeypot" an anycid/anydid attempt that then write that IP to a fail2ban, IP table rule or similar?
We should be able to just add another Fail2Ban rule to search for these in the Asterisk log...
Phone System 