Answer the question
In order to leave comments, you need to log in
K
K
krll-k2016-11-26 03:06:58
krll-k, 2016-11-26 03:06:58
How to secure an asterisk server? How can I close this vulnerability without resorting to vpn and fail2ban?
For two days, the asterisk log file has exceeded the mark of 780mb, someone is brutishing me:
[email protected]:~/asterisk# head messages
[Nov 24 12:51:31] Asterisk 13.10.0 built by root @ 6250540837a8 on a x86_64 running Linux on 2016-07-25 14:14:41 UTC
[Nov 24 12:51:31] NOTICE[8] cdr.c: CDR simple logging enabled.
[Nov 24 12:51:32] NOTICE[8] loader.c: 226 modules will be loaded.
[Nov 24 12:51:32] WARNING[8] res_phoneprov.c: Unable to find a valid server address or name.
[Nov 24 12:51:32] ERROR[8] ari/config.c: No configured users for ARI
[Nov 24 12:51:32] NOTICE[8] chan_sip.c: The 'username' field for sip peers has been deprecated in favor of the term 'defaultuser'
[Nov 24 12:51:32] WARNING[8] sip/config_parser.c: nat=yes is deprecated, use nat=force_rport,comedia instead
[Nov 24 12:51:32] WARNING[8] chan_sip.c: !!! PLEASE NOTE: Setting 'nat' for a peer/user that differs from the global setting can make
[Nov 24 12:51:32] WARNING[8] chan_sip.c: !!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users
[Nov 24 12:51:32] WARNING[8] chan_sip.c: !!! will be sent to a different port than replies for an existing peer/user. If at all possible,
[email protected]:~/asterisk# tail messages
Packet timed out after 32000ms with no response
[Nov 25 23:57:07] NOTICE[37][C-0000a96f] chan_sip.c: Call from '' (108.170.60.142:5071) to extension '9065600972595301348' rejected because extension not
found in context 'default'.
[Nov 25 23:57:39] WARNING[37] chan_sip.c: Retransmission timeout reached on transmission ace2e3e6caf09d7f54965e20eb03f20e for seqno 1 (Critical Response)
-- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
[Nov 25 23:58:26] NOTICE[37][C-0000a970] chan_sip.c: Call from '' (209.126.117.223:5075) to extension '0046812410067' rejected because extension not foun
d in context 'default'.
[Nov 25 23:58:58] WARNING[37] chan_sip.c: Retransmission timeout reached on transmission ff9ef074b2e70216711155069958df86 for seqno 1 (Critical Response)
-- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Nov 25 23:58:59] NOTICE[37][C-0000a971] chan_sip.c: Call from '' (108.170.60.142:5083) to extension '9065700972595301348' rejected because extension not
found in context 'default'.
[Nov 25 23:59:31] WARNING[37] chan_sip.c: Retransmission timeout reached on transmission 426db11f3cc68e3d0fe1f71c3694fcdc for seqno 1 (Critical Response)
-- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[email protected]:~/asterisk# ls -lah messages
-rw-r--r-- 1 root root 784M Nov 25 23:59 messagesThe attack is here:
[Nov 24 21:23:06] WARNING[37] chan_sip.c: Timeout on 35a9eefa76144d9fe03c8546960616cb on non-critical invite transaction.
[Nov 24 21:25:36] WARNING[37] chan_sip.c: Timeout on 05726585e2c7568c6f3e8b6525a96b74 on non-critical invite transaction.
[Nov 24 21:26:13] WARNING[37] chan_sip.c: Timeout on f5b008387608ac2f40da432b58ae4f78 on non-critical invite transaction.
[Nov 24 21:28:59] WARNING[37] chan_sip.c: Timeout on b61a9bb195fdf1ed3933a20af295bee3 on non-critical invite transaction.
[Nov 24 21:29:21] WARNING[37] chan_sip.c: Timeout on 83af82fb0973e905945a135f2847c1ac on non-critical invite transaction.
[Nov 24 21:32:24] WARNING[37] chan_sip.c: Timeout on 3a5f0670cd0d414aaa9a9cd190ea8d95 on non-critical invite transaction.
[Nov 24 21:32:29] WARNING[37] chan_sip.c: Timeout on 45aa81266b8662a801bd3dfe1610a931 on non-critical invite transaction.
[Nov 24 21:35:37] WARNING[37] chan_sip.c: Timeout on 86c8489a4296c68665f7f41c85dc43bb on non-critical invite transaction.
[Nov 24 21:35:49] WARNING[37] chan_sip.c: Timeout on 514e5eb264537a2e2f537f21247a5f5d on non-critical invite transaction.
[Nov 24 21:38:45] WARNING[37] chan_sip.c: Timeout on 648d52bc903d7ff2fb7bbdf9e4344275 on non-critical invite transaction.
[Nov 24 21:39:16] WARNING[37] chan_sip.c: Timeout on 4cc3d91808e4cec4aec54dca1b00d431 on non-critical invite transaction.
[Nov 24 21:41:58] WARNING[37] chan_sip.c: Timeout on 82144a0cd0f5e7b57512ec96569e83d0 on non-critical invite transaction.
[Nov 24 21:42:38] WARNING[37] chan_sip.c: Timeout on c9155cdea52eefabd126edfbc45f731b on non-critical invite transaction.
[Nov 24 21:45:08] WARNING[37] chan_sip.c: Timeout on 00fabdfe888a88d4dc0bb12ae9fc0b15 on non-critical invite transaction.
[Nov 24 21:46:05] WARNING[37] chan_sip.c: Timeout on a23d6f5d7d6570559ebf949080ede697 on non-critical invite transaction.
[Nov 24 21:47:22] NOTICE[37][C-00000104] chan_sip.c: Call from '' (195.154.172.203:5076) to extension '0046192777619' rejected because extension not foun
d in context 'default'.
[Nov 24 21:48:19] WARNING[37] chan_sip.c: Timeout on c625522c356c3c1022a7c135020ab851 on non-critical invite transaction.
[Nov 24 21:49:32] WARNING[37] chan_sip.c: Timeout on 7c8d2668bfcd1249b6e0f6a036f5ab7c on non-critical invite transaction.
[Nov 24 21:50:10] NOTICE[37][C-00000107] chan_sip.c: Call from '1001' (195.154.172.203:5082) to extension '0046192777619' rejected because extension not
found in context 'phones'.
[Nov 24 21:51:27] WARNING[37] chan_sip.c: Timeout on efdd0a47f266af9224fa0beeec754173 on non-critical invite transaction.
[Nov 24 21:52:52] NOTICE[37][C-0000010a] chan_sip.c: Call from '' (195.154.172.203:5100) to extension '0046192777619' rejected because extension not foun
d in context 'default'.
[Nov 24 21:52:59] WARNING[37] chan_sip.c: Timeout on da66bf1125e7f45737426699eb15f87e on non-critical invite transaction.
[Nov 24 21:54:32] WARNING[37] chan_sip.c: Timeout on 9af369fb7a8f66cfa18c88639de1f86c on non-critical invite transaction.
[Nov 24 21:55:44] NOTICE[37][C-0000010c] chan_sip.c: Call from '' (195.154.172.203:5074) to extension '0046192777619' rejected because extension not foun
d in context 'default'.
[Nov 24 21:56:24] WARNING[37] chan_sip.c: Timeout on 3067d1dc33709034d89da8bfd1093a3a on non-critical invite transaction.
[Nov 24 21:57:39] WARNING[37] chan_sip.c: Timeout on 16d284023bd626e4fa945bb6d01c3325 on non-critical invite transaction.
[Nov 24 21:58:43] NOTICE[37][C-0000010f] chan_sip.c: Call from '' (195.154.172.203:5094) to extension '0046192777619' rejected because extension not foun
d in context 'default'.Similar to a zmap scan. How can I close this vulnerability without resorting to vpn and fail2ban?
4 answer(s)
@krll-k
K
krll-k, 2016-11-26 @krll-k
For all suspicious messages, look at the headers through tcpdump and add new Iptables rules:
-A INPUT -p udp -m udp —dport 5060 -m string —string «sipcli» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «sip-scan» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «iWar» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «sipvicious» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «sipsak» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «sundayddr» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «VaxSIPUserAgent» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «friendly-scanner» —algo bm —to 65535 -j DROP
Similar questions
J
I
A
T
B
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question