Asterisk attacks chewing data even with fail2ban doing its thing, unavoidable?

Geekzone Status | Geekzone User IP information | NZ Cell Sites Map | Mighty Ape | Amazon order page (Kindle, books, electronics)

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Forums › VoIP › Asterisk attacks chewing data even with fail2ban doing its thing, unavoidable?

aw

221 posts

Master Geek

Subscriber

Topic # 99056 12-Mar-2012 07:41
sigh I have an Asterisk box at my home office. I have it set up for remote extensions so I can use my smartphone as an extension when both home and away. All works fine. I have long, random passwords and I have fail2ban protecting the server, which works well. Despite that, I've noticed I'm still finding myself the target of intense attack attempts. Fail2Ban sends an e-mail when it bans an IP, and I saw last night at 5:21pm it banned 208.115.231.210 after "120 attempts against Asterisk". This morning I noticed via iptables that that same IP is still banned, and I see via Wireshark that despite getting no response, that same IP is still sending around 100 SIP registration attempts a second. That's data I'm paying for! I seem to get hit with one of these persistent buggers about once a month, and the attack can go on for as long as 48 hours and consume multiple GBs of data. Is this just one of the realities of having an externally accessible Asterisk box?

1080p

1070 posts

Uber Geek

Reply # 593861 12-Mar-2012 08:12
Pretty much :C All you can do is work with your provider to see if they will null route the attempts. If you have a residential connection this will be much harder than a business connection with SLA. Workstation: Intel DH67CL ~ i5-2500 ~ 4GB Corsair RAM (x2) ~ Intel X25-M 80GB SSD Laptop: Dell Inspiron 1564 ~ i5-520M ~ 4.00GB RAM ~ 500GB SATA HDD ~ Win7 Home Premium x64 Common misconceptions.

sbiddle

16853 posts

Uber Geek

Moderator

Trusted

Biddle Corp

Subscriber

Reply # 593865 12-Mar-2012 08:18
Unless you funny understand the risks associated with doing so no PBX should ever be internet facing. VPN access for remote extensions is always the most secure way of allowing remote access. While your firewall has blocked that IP the bot still knows you have a PBX there and isn't smart enough to realise it's been blocked. *Need help configuring your Linksys ATA or IP Phones for New Zealand? Check my blog post

aw

221 posts

Master Geek

Subscriber

Reply # 594541 13-Mar-2012 13:08
OK I'll investigate VPN options. Thanks for the advice. Anyone else VPN their iPhone back to their home PABX?

l43a2

811 posts

Ultimate Geek

Reply # 594545 13-Mar-2012 13:15
aw: sigh I have an Asterisk box at my home office. I have it set up for remote extensions so I can use my smartphone as an extension when both home and away. All works fine. I have long, random passwords and I have fail2ban protecting the server, which works well. Despite that, I've noticed I'm still finding myself the target of intense attack attempts. Fail2Ban sends an e-mail when it bans an IP, and I saw last night at 5:21pm it banned 208.115.231.210 after "120 attempts against Asterisk". This morning I noticed via iptables that that same IP is still banned, and I see via Wireshark that despite getting no response, that same IP is still sending around 100 SIP registration attempts a second. That's data I'm paying for! I seem to get hit with one of these persistent buggers about once a month, and the attack can go on for as long as 48 hours and consume multiple GBs of data. Is this just one of the realities of having an externally accessible Asterisk box? that IP seems to come from http://www.limestonenetworks.com mite be worth putting in an abuse report

Zeon

2433 posts

Uber Geek

Trusted

Subscriber

Reply # 594549 13-Mar-2012 13:22
1080p: Pretty much :C All you can do is work with your provider to see if they will null route the attempts. If you have a residential connection this will be much harder than a business connection with SLA. Haha not if they are Orcon, flat out refused to null route one of our internal IPs are DDoS to it were taking out our entire rack. Took them 3 months of us begging to finally look at a fix which was a 1gbps port upgrade which solved the issues overnight.

vespaman

50 posts

Geek

Reply # 597585 20-Mar-2012 11:30
vpn the best way for remote phones. Iphone + vpn options here - http://www.linuxpinguin.de/2009/06/secure-encrypted-phone-calls-with-your-iphone/

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow @geekzonenzforum

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow @geekz1

Follow us to receive Twitter updates when new jobs are posted to our jobs board:

Follow @geekzonenzjobs

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

Follow @geekzoneprices

News »

Investor Rowan Simpson backs Timely
Posted 19-Jun-2013 14:36

Orcon Genius Go app set home lines free
Posted 19-Jun-2013 14:26

New Slingshot "Global Mode" gives access to world of content
Posted 19-Jun-2013 13:00

Symantec 2013 Global SMB IT Confidence Index shows top ANZ challenge is keeping up with IT trends
Posted 19-Jun-2013 12:37

Major update to Adobe Creative Cloud now available
Posted 19-Jun-2013 12:15

Geeksphere TV: Episode 23.1
Posted 19-Jun-2013 11:45

Trending now »

Hot discussions in our forums right now:

Sky outbid for EPL rights (Premier League Pass discussion)
Created by JonnyCam, last reply by Benoire on 19-Jun-2013 22:57 (232 replies)

... 14 15 16

I am been sued - HELP!
Created by BaaaaD, last reply by mattwnz on 19-Jun-2013 22:59 (54 replies)

... 2 3 4

Orcon Genius Go discussion
Created by freitasm, last reply by ptinson on 19-Jun-2013 21:22 (46 replies)

... 2 3 4

Slingshot Global Mode announced
Created by freitasm, last reply by freitasm on 19-Jun-2013 22:38 (44 replies)

... 2 3

Condenser Dryer: anyone has one?
Created by joker97, last reply by graemew on 18-Jun-2013 21:08 (31 replies)

... 2 3

Slow YouTube Response
Created by SneakerPimps, last reply by mercutio on 18-Jun-2013 21:34 (23 replies)

... 2

Suggestions for good Windows FTP client please?
Created by freitasm, last reply by Ragnor on 19-Jun-2013 22:47 (21 replies)

... 2

Anyone else watching paint dry?
Created by gnfb, last reply by DravidDavid on 19-Jun-2013 19:53 (40 replies)

... 2 3

Geekzone Jobs »

Most recent NZ jobs in technology:

Website needed
Posted 19-Jun-2013 22:38

Solution Architect - Pre-Sales element!
Posted 19-Jun-2013 22:38

Senior Business Analyst
Posted 19-Jun-2013 19:38

Java Developer
Posted 19-Jun-2013 19:38

RF Tester
Posted 19-Jun-2013 19:38

Motivated Systems Administrator
Posted 19-Jun-2013 19:38

Senior ASP.Net Developer
Posted 19-Jun-2013 19:38

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.

RSS feeds: Main feed; Forums feed; Tech Jobs feed; All RSS feeds

Site features: Geekzone Mobile; @GeekzoneMail; Geekzone Badges; Geekzone on Twitter

Geekzone offers: Amazon orders (Kindle, books, everything); MightyApe orders; Free technology white papers

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising on Geekzone; Trademark and copyright

©2002-2013 Geekzone®