Hall of Shame
Submitted by cvander on Fri, 10/24/2008 - 6:41am.
Just thought I'd start a tread for posting IP's of SIP attack servers. I'll get things going:
83.244.212.220
This IP has been trying, unsuccessfully (thanks fail2ban!), to register as extensions on my publicly facing SIP interface. I've tracked the offending IP to a datacenter in London (I think), and have notified the owner of the IP block of the attacks in an attempt to prevent less fortunate (or prepared) people from being compromised. Anyone else have IPs of SIP attack servers to post?
-Chris
 
That is a fantastic idea!
Fri, 10/24/2008 - 8:46am
Here are two more:
82.129.32.166 - mail.voipshop.net
124.40.28.75 - navispacel.tempdomainname.com
Greg
 
These hackers are low-lives
Fri, 10/24/2008 - 12:02pm
These hackers are low-lives who waist their life stealing and cheating others and gain absolutely nothing from it, and are running away from the government their entire life.
What's the best way to secure the extension passwords besides having them randomly generated, and in a situation where VPN and IP filter can't really be used? Many of us face these types of issues.
I also read about two years ago in a PC World magazine that people have been able to hack into VoIP conversations and listen in- and since there is no way out of this unless you have a VPN between your box and your voip proxy's box, everyone is vulnerable
By the way, for those reading this post, one way to secure extensions while port 5060 is opened due to VoIP provider requirements is to go to each extension that is on the same network as the trixbox, and change nat=yes to nat=never
This will forbid anyone outside the trixbox network to register this extension.
 
Joseph,
1. I completely
Fri, 10/24/2008 - 12:08pm
Joseph,
1. I completely agreed, these guys are the worst of the worst (I mean come on... hackers AND telemarketers!!!)
2. I always require minimum length of 15 characters and they all must have uppercase, lowercase, number (but not extension number), and special characters. I've found that using this in conjunction with fail2ban makes the passwords pretty much unguessable (at least within a lifetime)
3. The best way to secure your conversation is to use SIP over TCP utilizing Transport Layer Security (TLS). Unfortunately, Asterisk 1.6 is going to be the first version to officially support this (I've heard rumblings of a back-port to 1.4). So for now, the best way is to use a SIP proxy like SIPX to handle the security side of things... but is sure makes if more complicated.
-Chris
 
Chris, I couldn't agree more
Fri, 10/24/2008 - 12:23pm
Chris, I couldn't agree more with what you stated.
Just a comment, however, until asterisk 1.6 and sip over tcp with TLS is released, isn't there that "brute force" program that many hackers use? I know nothing at all about it, and it may only be linux related (to gain root access). But if it technically works with everything, can't hackers gain access with this method? Or am I just being paranoid and these things only happen once every few years when super strong passwords are used?
Also, I know that with http and ftp, passwords are sent in plain texts and hackers can gain control. Does this apply to SIP as well? If so, is there any other way for the meantime to add security to the asterisk boxes?
 
Yes, there is a program
Fri, 10/24/2008 - 12:30pm
Yes, there is a program people can use to enumerate your asterisk extensions and then attempt a brute-force attack. This is where fail2ban comes in. I have it configured according to the WIKI, so that any IP that tries to register and fails 5 or more times is automatically banned for 3 days... so they can try 5 guesses every 3 days, instead of 1000's per minute.
As far as http passwords and ftp goes, that's right they are transmitted in plaintext, that's why I use https and don't expose ftp or tftp. Same thing goes for SIP, but you have the execute a man-in-the-middle attack for that to work (not very likely).
-Chris
 
Chris, the fail2ban sounds
Fri, 10/24/2008 - 12:49pm
Chris, the fail2ban sounds like a good program for asterisk. I will definitely test this out. Thanks for the info!
I hope it also works for IAX2 and root by the way. And it would be great if certain IPs can be overridden so that there wont be problems if I accidentally type the wrong password when trying to link two trixboxes together, or whatever the case may be.
 
"The best way to secure your
Fri, 10/24/2008 - 12:59pm
"The best way to secure your conversation is to use SIP over TCP........."
That only secures the SIP conversation, the RTP stream is still unencrypted.
Make a sniffer dump, run it through Cain to get yor wav file....
 
16again,
Sorry, I forgot to
Fri, 10/24/2008 - 1:26pm
16again,
Sorry, I forgot to mention using SRTP (Secure Realtime Transfer Protocol) for encrypting the audio portion of the call, between SIPS and SRTP the conversation should be protected (since the RTP secret is exchanged via SIP, which is now encrypted...)
ja133,
You should be able to setup fail2ban to monitor just about anything in asterisk, as well as your other services. I actually use apf/bfd using Engineer Tim's guide, for the basics, including root, ssh, and other stuff, and then fail2ban for monitoring asterisk. It's probably overkill by far, but lets me sleep well at night. Engineer Tim wrote up a guid on securiing trixbox CE (can't find the link right now) and I used the wiki here:
http://www.voipinfo.org/wiki/index.php?page_id=5348
to setup fail2ban. It's works like a champ.
-Chris
 
engineertim.com
Fri, 10/24/2008 - 9:31pm
Can you imagine how many retries getting into your system everyhour everyday. 724...
check out your trixbox console....
cat /var/log/secure|grep 'nvalid user'
Check out the great work of www.engineertim.com
apf and bfd, http secure, chkconfig, etc
 
One for the list
74.208.8.5
Sat, 10/25/2008 - 5:37am
One for the list
74.208.8.5 this ip has tried 100s of times.
 
For IAX add these two lines
Sat, 10/25/2008 - 7:06am
For IAX add these two lines to the info from voip-info for fail2ban
NOTICE.* .*: No registration for peer '.*' (from ) NOTICE.* .*: Host failed MD5 authentication for '.*' (.*)
the first one shows up when they hit a non existent extension, the second is a wrong password.
 
fail2ban needs to become a standard part of the Distro
Sat, 10/25/2008 - 8:11am
Thanks for all the hard work of everyone that helped bring fail2ban to the community - this is a HUGELY important tool for securing the boxes against the bastard Crackers!
Greg
 
I seem to
Sat, 10/25/2008 - 8:56am
Remember wanting to do the list of hack attempts in another forum post and people telling me it was a stupid idea. Don't want to do the "I told you so".
Also, if fail2ban can't block the IP address forever, then it is not really the best option. For example, with apf/bfd setup that I have I login and do this when someone adds a IP to this list.
apf -d 82.129.32.166
Not this IP address can't even see my box forever. And since this IP block is in another country and I really don't think I will have a reason to allow anyone on the netblock access to my system I can block the entire CIDR with.
apf -d 82.129.0.0/17
Now, if the person attempting to hack was on a dilaup or DHCP connection from this provider they will never ever be able to attempt to login again.
I prefer blocking forever as apposed to a few days. No reason in my opinion to ever open that IP up again.
Thank you,
Engineer Tim
I am no longer a representative of trixbox and my opinions are expressed as my own. In other words...I have free will again.
http://engineertim.com
 
I also wanted
Sat, 10/25/2008 - 9:08am
To point out that you can distribute a list of IPs to other apf/bfd machines. I have a list http://engineertim.com/engineertim-bfd.txt that I distribute to my other hosts over http. This list is almost all IPs that tried to brute force over SSH. In apf you can add a URL to the confi.apf file and apf is setup to reload the rules every 10 minutes. So as soon as a system attacks or I add a ip address, then it gets auto distributed to the rest of my hosts, not just my trixbox installs. This is my own personal list of shame. This list in the link is just a example, do not link to it.
Thank you,
Engineer Tim
I am no longer a representative of trixbox and my opinions are expressed as my own. In other words...I have free will again.
http://engineertim.com
 
It is unnecessary though,
Sat, 10/25/2008 - 1:16pm
It is unnecessary though, other than for curiosity's sake.
This is a simple problem, people running brute force attacks on SIP/IAX extensions, the simple solution is to use a good password and install fail2ban, set it to ban after 3 failed attempts for a month, 3 months or whatever floats your boat, if they come back after that its no big deal if they have another 3 attempts bearing in mind that a 8 character password with mixed upper and lower case alphabetic characters plus numbers has 218 trillion combinations.
Why overcomplicate it making lists and banning IPs forever when most of these IPs are proxies, dynamic IPs or compromised machines, and are only a threat temporarily.
The only list you need is the one fail2ban makes for itself after the third attempt, set it and forget it.
 
Can you please provide the
Sat, 10/25/2008 - 1:19pm
Can you please provide the references that you personally used to install fail2ban? I would like to install it but I want to install it the correct way.
I also hope that this blends in with iptables.
 
I used the guide on
Sat, 10/25/2008 - 1:33pm
I used the guide on voip-info, but Ive chopped it about a bit, removed the irrelevant bits and added the new regex's. I had trouble posting it though, the code tags are a problem with it, I just emailed it to you, maybe you could post it on your site.
 
Bingo
Sat, 10/25/2008 - 1:49pm
TDF: "Why overcomplicate it making lists and banning IPs forever when most of these IPs are proxies, dynamic IPs or compromised machines, and are only a threat temporarily. The only list you need is the one fail2ban makes for itself after the third attempt, set it and forget it."
Couldn't agree more. Fail2Ban 0.8.3 is an incredibly versatile product that, when combined with good passwords and an iptables firewall, provides a very secure computing environment.
 
Fail2ban
Sat, 10/25/2008 - 2:14pm
I've been using fail2ban for some time as an added layer of security for my web servers. One nice feature I utilize is when fail2ban bans an ip for attacks against ftp for example it blocks all access to that server, i.e. port 80, port 443, etc.
 
I guess
Sat, 10/25/2008 - 4:36pm
I am NOT doing a very good job of pitching the use of APF and BFD so here goes one last time. APF does way more than just firewalling. Here is some of the features it does from the website ( http://rfxnetworks.com/apf.php )
: Summary of features:
- detailed and well commented configuration file
- granular inbound and outbound network filtering
- user id based outbound network filtering
- application based network filtering
- trust based rule files with an optional advanced syntax
- global trust system where rules can be downloaded from a central management server
- reactive address blocking (RAB), next generation in-line intrusion prevention
- debug mode provided for testing new features and configuration setups
- fast load feature that allows for 1000+ rules to load in under 1 second
- inbound and outbound network interfaces can be independently configured
- global tcp/udp port & icmp type filtering with multiple methods of executing filters (drop, reject, prohibit)
- configurable policies for each ip on the system with convenience variables to import settings
- packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
- prerouting and postrouting rules for optimal network performance
- dshield.org block list support to ban networks exhibiting suspicious activity
- spamhaus Don't Route Or Peer List support to ban known "hijacked zombie" IP blocks
- any number of additional interfaces may be configured as firewalled (untrusted) or trusted (not firewalled)
- additional firewalled interfaces can have there own unique firewall policies applied
- intelligent route verification to prevent embarrassing configuration errors
- advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
- filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
- configurable type of service options to dictate the priority of different types of network traffic
- intelligent default settings to meet every day server setups
- dynamic configuration of your servers local DNS revolvers into the firewall
- optional filtering of common p2p applications
- optional filtering of private & reserved IP address space
- optional implicit blocks of the ident service
- configurable connection tracking settings to scale the firewall to the size of your network
- configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses
- advanced network control such as explicit congestion notification and overflow control
- special chains that are aware of the state of FTP DATA and SSH connections to prevent client side issues
- control over the rate of logged events, want only 30 filter events a minute? 300 a minute? - you are the boss
- logging subsystem that allows for logging data to user space programs or standard syslog files
- logging that details every rule added and a comprehensive set of error checks to prevent config errors
- if you are familiar with netfilter you can create your own rules in any of the policy files
- pluggable and ready advanced use of QoS algorithms provided by the Linux
- 3rd party add-on projects that compliment APF features
Now, to install it is so simple a cave man can do it. There are no additional libraries nothing except the tar file is needed, and IPTABLES of course. It does QoS, and TONS AND TONS more right out of the box. Adding BFD to the combination just makes this the perfect product for this type of thing. If I can't get at least one person to try this then I am going to scream.
TDF,
I don't get your post. It is not a simple problem. Just having passwords that are unbreakable is not the solution, security by obscurity? If you have someone trying to make 100's if not 1000's of connection attempts to your server for login attempts then there is going to be a problem even if they don't get in. Not only that but blocking these people and keeping track of the ip's is very very important. Who cares if they are on a proxy and can switch their ip, block the whole CIDR. I don't get where everyone thinks a ounce of prevention is not worth it. I would rather not have anyone attempting to login to my ports at all and then only open certain ranges like a real firewall should. I can do this with APF easily. But to say that blocking it for a few hours or days is ample, I feel this is wrong.
By building a database of known proxies, relays, etc.. you add a layer of protection that you can take out of the realm of possibility. Hell, I would love to know all of the open proxies that are out there. I would block them all. I know my customers don't use them to connect to my phone systems. It is called preventative maintenance and I hope everyone understands what I am talking about. If you don't have the luxury of having a high end firewall device that can do what really needs to be done, then you can at least make yourself a little more protected by pre-blocking any ip address that are known to be a issue in the wild.
God, I really hope that came out clear and concise. It is very important to me to get these IP addresses so they can be blocked before they even get a chance to see my server.
Thank you,
Engineer Tim
I am no longer a representative of trixbox and my opinions are expressed as my own. In other words...I have free will again.
http://engineertim.com
 
Tim - I have been meaning to
Sat, 10/25/2008 - 4:41pm
Tim - I have been meaning to look at APF for other reasons, so no I don't think you are nuts. RBL's are common place in the email world.
The list of banned IP's has to reach some sort of critical mass. Perhaps a website for users to submit abusive IP's would be a start. It would also have to have a mechanism to remove the address similar to the spam sites.
--
Scott
aka "Skyking"
 
Fail2Ban Install Guide
Sat, 10/25/2008 - 5:58pm
I just posted TDF's modified Fail2Ban Install Guide. You can view it at
http://www.necits.com/misc/fail2ban.html
http://www.necits.com/misc/fail2ban.pdf
 
Scott, I think this would be
Sat, 10/25/2008 - 6:05pm
Scott, I think this would be an excellent idea.
Quote:
Perhaps a website for users to submit abusive IP's would be a start
Even if the site just had a download link that would produce a file that could be imported easily into fail2ban or APF/BFD that would be a starting point.
 
Engineer Tim,
Like I said in
Sun, 10/26/2008 - 8:26am
Engineer Tim,
Like I said in an earlier post, I think the apf/bfd is great, I use it to do the heavy lifting on my system, I just run fail2ban ALSO (they both co-exist peacefully on the same system). I personally used your "securing trixbox CE" guide to get the brunt of my tweaks done. So don't go pulling your hair out, your message has been heard loud and clear (at least by me!). I think the combination of the RBL's for apf and the dynamic blocking by fail2ban are the perfect combination. I could probably simplify the install by modifying bfd to monitor my asterisk logs, but I haven't had the chance to play with that yet.
-Chris
 
Trixbox security enhancement
Sun, 10/26/2008 - 8:30am
I did a hack of /var/www/html/admin/modules/core/functions.inc.php that allows the setting of deny= and permit = as well as auth= for extensions in the web interface
 
apf caught a couple more
Tue, 10/28/2008 - 4:27am
apf caught a couple more last night. 204.10.104.89 which is tied to AccelerateBiz Inc. & Dakmart, & 84.126.212.155 in Spain.
When I can trace an attack back to real companies such as those posing as a VoIP provider they get their whole subnet permanently banned at the firewall for all services. One of last night's attackers has earned that distinction alongside a slowly growing list of rogue networks.
 
wolf, could you please post
Tue, 10/28/2008 - 5:13am
wolf, could you please post your changes (in a .diff file) as a feature request over at FreePBX: http://www.freepbx.org/trac/newticket so that the developers of FreePBX can have a look at it and eventually put it in as an enhancement?
Mikael Carlsson
Sweden
 
Stupid question, but with
Sat, 11/08/2008 - 1:08pm
Stupid question, but with fail2ban should we add an exception to the IP addresses that our voip providers use? Please explain why or why not.
 
am not sure by why for voip
Sun, 11/09/2008 - 11:58am
am not sure by why for voip providors? we are making OUTBOUND connections to them, fail2ban is looking at INCOMING connection attempts.
would be prudent to add remote office/user ips if they are static
?
 
Voip providers such as
Sun, 11/09/2008 - 12:53pm
Voip providers such as Bandwidth.com send incoming calls directly to your static IP, therefore not requiring a trunk registration. That's what I am trying to ask you here.
 
I think you're missing the
Mon, 11/10/2008 - 6:49am
I think you're missing the point... fail2ban will monitor your asterisk logs and ban IPs that create registration failures. Your provider should not be causing registration errors.
-Chris
 
Another IP to add to the Hall of Shame
Mon, 11/09/2009 - 7:44am
One of my servers was hit early this morning from 71.30.171.190 They were unsuccessful in their break in attempt but i had to unplug from the internet for a while due to the flood of hacker traffic choking everything.
 
How hard would it be to add
Sun, 11/15/2009 - 4:43pm
How hard would it be to add a few lines to the fail2ban script to syncronize with a few hosted repositories? Using it would be entirely optional. The repositories could be set up to require multiple sources before it adds an IP to the suggested ban list.
Or maybe a peer to peer arrangement where you can register your ip with sites like trixbox, pbxinaflash etc. and all these registered ips can share their fail2ban.log files.
Seems easy enough to me but what do I know.
 
mustardman,
This can be
Sun, 11/15/2009 - 5:13pm
mustardman,
This can be done. That is a pretty good idea. It has already been done much better before however, with other types of software. PeerGuardian for example, maintains lists of MPAA / RIAA IPs and bans them from establishing connections with your system, this is useful for torrenting, etc. There are other pieces of software out there which do the same thing for known botnet IPs, and so fourth.
I honestly forget the names of these other software programs, maybe someone else can chime in with a name. But it has been done better :) The nice thing about fail2ban is that it is simple, and non-intrusive. It only bans things that are KNOWN to be causing you specifically issues. IPs change, and a computer that was once part of a botnet today may belong to another system tomorrow, so blacklisting such massive amounts of IPs is sometimes futile.
 
Large ipTables -- the more sifting right ?
Tue, 11/17/2009 - 7:07pm
All this talk of using RBLs -- wouldn't that make an increased load on the box forcing iptables to sift through thousands and thousands of IP addresses to see if it is allow? Wouldn't this sifting cause jitter or latency on this real time application?
I use this on my email server --- and the list is very large. but email being delayed a few seconds while the MTA connects isn't a big deal. But doing this to a inbound call ? -- and couldn't the rift be felt to other calls already in place -- wouldn't that make for more latency?
Fail2ban - removes the IP from the list so the iptables list stays small and fast.
Or could a iptables list with 250,000 IP entries not slow things down at all ?
I have decided to take the opposite approach... removing fail2ban - and configure iptables to deny ALL and just put in the allow for my provider and extension IP lists (some are ranges but only my local net provider) -- as most and I mean most.. attacks come from out of the country for some reason.
Thoughts ?
JD
 
It is _always_ better to
Wed, 11/18/2009 - 1:19pm
It is _always_ better to have a whitelist based policy instead of a blacklist based policy (like fail2ban). Whitelisting means you know and trust the hosts you specifically allow, and no more. The problem with this is typically machines need to be able to accept connections from a wide range of unknown IPs for various reasons.
In regards to IP tables slowing things down, no. It will not slow your system down at all. IPtables uses hashing to lookup IP addresses internally which has an O(1) efficiency level. So IPtables is doing a single computation to determine whether or not to reject that IP. fail2ban is useful for administrators who do not want the extra responsibility of explicitly whitelisting things when they need to be allowed, as this can consume a huge amount of time.
 
Hall of Shame
Tue, 12/01/2009 - 11:40am
Here is another one
174.129.184.223
 
Common numbers
Tue, 12/01/2009 - 11:54am
I keep seeing 82.x.x.x show up. I was hacked by an IP address on the same class A. Since it is on the ripe network and we have no offices in western Europe, I blocked the whole range using iptables.
iptables -A INPUT -s 82.0.0.0/255.0.0.0 -j DROP
 
3 more to watch out for
Thu, 01/07/2010 - 8:32am
93-34-63-36.ip48.fastwebnet.it
93-34-49-22.ip48.fastwebnet.it
93-34-32-166.ip47.fastewebnet.it
caught these attempting to hack over 4 days over the holidays..
one attempt was successful and cost over $900 in 1.5 hours dialling Kotrea and Lichtenstein
 
Been a while... here's some more:
Mon, 01/18/2010 - 2:18pm
Here are a few more that have popped up over the last 30 days or so:
113.105.152.104 (somewhere in China)
91.83.48.220 list.tozso.net (somewhere in Hungary)
89.250.132.9 server1.adminfrontend.de (somewhere in Germany)
88.198.51.21 db1.antikbuch24.de (Nuremberg, Germany)
Enjoy,
Chris
 
Here is another suggestion.
Sun, 02/07/2010 - 8:28pm
Here is another suggestion. If you are just using this in one country you can ban IP's from other countries. There is probably a script for setting this up in iptables. There is LOT's of information around for doing it on the router. A lot of people do this for their email servers. My email servers are constantly getting hammered and the only good solution I have found is banning foreign country IP's. Of course if the company does business with foreign countries and/or people travel worldwide it's not a viable solution.
Works for a lot of companies though. Yea, does not solve the problem if you are in the US as a lot of this does come from the US or US based servers. In my case the vast majority comes from China so it helps a LOT to just ban China.
 
By adding the two lines to
Sun, 02/14/2010 - 7:29pm
By adding the two lines to /etc/fail2ban/filter.d/asterisk.conf, the filter will work for IAX but only for existing extensions. If the extension doesn't exist then the login attempt is allowed to continue. The first line in TDF's post "NOTICE.* .*: No registration for peer '.*' (from )" is meant to work when a non existent extension is attempted but I can't get it to work. The second line works every time. I've added "less than symbol 'HOST' greater than symbol" to the text but still no go. I've copied and pasted the actual failed login attempt error line from /var/log/asterisk/full into /etc/fail2ban/filter.d/asterisk.conf and still it won't work. Anyone have any ideas?
 
I dont know what happened
Sun, 02/14/2010 - 9:10pm
I dont know what happened there. I just reread the thread over at PIAF and that regex didn't work for me at the time, but it seemed right and I assumed it was working for others, the problem being my trixbox which was acting strangely anyway in regards to fail2ban. Now I wonder if it did infact work.
Does this work
NOTICE.* .*: No registration for peer '.*' \(from \)
I think a full set would now be, with the above replacement if it works.
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.* .*: Registration from '.*' failed for '
NOTICE.*
NOTICE.* .*: No registration for peer '.*' \(from
NOTICE.* .*: Host
NOTICE.* .*: Failed to authenticate user .*@
NOTICE.*Sending fake auth rejection for user.*@
The best place for instructions and to keep on top of changes is
http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+A...
someone should probably remove the links necits's post as the infos out of date.
 
Does work
Mon, 02/15/2010 - 5:06am
"NOTICE.* .*: No registration for peer '.*' \(from \)" works if I enter the greater than and less than symbols around the HOST before the last \.
Thanks! I've been trying but failing to get httpd login attempts to fail but that seems to be hit and miss. Sometimes it may ban me if I attempt four logins, sometimes after twenty-five and sometimes not at all.
Thanks for the help. I will go to PIAF and have a look.
 
More Hall of Shame
Sat, 02/20/2010 - 10:43am
This hacker, despite notifying the ISP several times continues to break into my servers at two locations. When they attack it completely takes out my entire network.
80.179.36.30 net.il
 
This works for httpd login
Wed, 02/24/2010 - 11:17am
This works for httpd login attempts:
[apache-iptables]
enabled = true
filter = apache-auth
action = iptables-multiport[name=Apache, port="http,https"]
sendmail-whois[name=Apache, dest=you@youmail.com]
logpath = /etc/httpd/logs/error_log
bantime = 36000
The filter apache-auth.conf needs to be revision 728.
 
Member Since:
2006-06-26