Thwarting SIP Attacks

[mwiesbau]

Hello, my call logs show lots of entries with source being SIP and destination 's'

each call was about 10 seconds
it seems that there were 3 consecutive calls at a time.

could someone explain??
this looks a little bit suspicious to me.

Thanks

 

[etech3]

When I have added a number to the blacklist and if that number calls again, the DIST will show "S".

What's the complete number on the source? phone number, try looking up on google or whocalled.us

 

[phinphan]

I had exactly the same thing happen yesterday. Don't know what it is or where it came from.

 

[tm1000]

These are anonymous sip calls that are attempting to either spam you or determine the specs of your phone system. They are generated directly from the internet as a SIP to SIP call.

The 's' context, I believe, is just a dead end (context "black-hole"), usually a busy signal or a hangup depending on how you have FreePBX defined to handle anonymous calls

 

[phinphan]

Further enquiry points that they are coming from these IP addresses:
113.105.152.101,
113.105.152.102
113.105.152.104
119.147.116.152
119.147.116.144
113.105.153.44

Time to go read my nerdvittles security refresher on blocking anonymous sip calls.

 

[mbellot]

I'm seeing much the same (between 30 and 50 entries) with IP addresses:

113.105.152.101
113.105.152.102
113.105.152.103
113.105.152.104

113.105.153.55

119.147.116.17
119.147.116.158

121.14.149.144
121.14.149.145

124.207.176.8

222.73.204.83

With caller id set to either "sip" or "asterisk".

I have anonymous calls set to "No", and the calls are going to context "s", but is there anything else I need to look at?

 

[mrbatchfile]

See jroper's entry at "Sticky: please report hacks" (page 4) http://pbxinaflash.com/community/threads/please-report-hacks.2247/
best for quickly dropping the calls before they know you've got a pbx running.

 

[mbellot]

Thanks for the link, I just implemented the changes and tried an anon sip call. Worked like a charm.

Only thing is, it doesn't appear the call attempts (I tried twice) were logged in the CDR.

 

[kenn10]

That's why I like the DenyHosts program (http://denyhosts.sourceforge.net/). It reports all hacking attempts to a central database and the banned IP's are downloaded to all participating systems. I use it in addition to Fail2Ban.

 

[dswartz]

If you are using a pfsense firewall in front of your LAN (as I do), denyhosts works there too.

 

[jroper]

Hi

Only thing is, it doesn't appear the call attempts (I tried twice) were logged in the CDR.

You won't see anything in the CDR, the call is rejected and hung up straight away and not answered, as it was previously.

Joe

 

[etech3]

inetnum: 113.96.0.0 - 113.111.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN

inetnum: 119.144.0.0 - 119.147.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN

 

[wardmundy]

Might be worth reviewing:

Welcome to IP Country: A New Layer of Asterisk Security

 

[jroper]

Ward

It should not be difficult to construct a fail2ban rule that blocked IP addresses that tried to phone an invalid number.

Joe

 

[mbellot]

Might be worth reviewing:

Welcome to IP Country: A New Layer of Asterisk Security

Ward, excellent write-up. But if I understand it correctly it only applies to trunk and extension registrations, correct?

I already have all my extensions locked down with the permit/deny IP settings (very small setup), so I would guess this is only useful (for me) on trunks.