Asterisk attacks chewing data even with fail2ban doing its thing, unavoidable?

Forums › VoIP › Asterisk attacks chewing data even with fail2ban doing its thing, unavoidable?

aw

286 posts

Ultimate Geek

#99056 12-Mar-2012 07:41

*sigh*

I have an Asterisk box at my home office. I have it set up for remote extensions so I can use my smartphone as an extension when both home and away. All works fine.

I have long, random passwords and I have fail2ban protecting the server, which works well.

Despite that, I've noticed I'm still finding myself the target of intense attack attempts.

Fail2Ban sends an e-mail when it bans an IP, and I saw last night at 5:21pm it banned 208.115.231.210 after "120 attempts against Asterisk".

This morning I noticed via iptables that that same IP is still banned, and I see via Wireshark that despite getting no response, that same IP is still sending around 100 SIP registration attempts a second. That's data I'm paying for!

I seem to get hit with one of these persistent buggers about once a month, and the attack can go on for as long as 48 hours and consume multiple GBs of data.

Is this just one of the realities of having an externally accessible Asterisk box?

1080p

1332 posts

Uber Geek
Inactive user

#593861 12-Mar-2012 08:12

Pretty much :C

All you can do is work with your provider to see if they will null route the attempts. If you have a residential connection this will be much harder than a business connection with SLA.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#593865 12-Mar-2012 08:18

Unless you funny understand the risks associated with doing so no PBX should ever be internet facing. VPN access for remote extensions is always the most secure way of allowing remote access.

While your firewall has blocked that IP the bot still knows you have a PBX there and isn't smart enough to realise it's been blocked.

aw

286 posts

Ultimate Geek

#594541 13-Mar-2012 13:08

OK I'll investigate VPN options. Thanks for the advice.

Anyone else VPN their iPhone back to their home PABX?

l43a2

1779 posts

Uber Geek

ID Verified

Trusted

#594545 13-Mar-2012 13:15

aw: *sigh*

I have an Asterisk box at my home office. I have it set up for remote extensions so I can use my smartphone as an extension when both home and away. All works fine.

I have long, random passwords and I have fail2ban protecting the server, which works well.

Despite that, I've noticed I'm still finding myself the target of intense attack attempts.

Fail2Ban sends an e-mail when it bans an IP, and I saw last night at 5:21pm it banned 208.115.231.210 after "120 attempts against Asterisk".

This morning I noticed via iptables that that same IP is still banned, and I see via Wireshark that despite getting no response, that same IP is still sending around 100 SIP registration attempts a second. That's data I'm paying for!

I seem to get hit with one of these persistent buggers about once a month, and the attack can go on for as long as 48 hours and consume multiple GBs of data.

Is this just one of the realities of having an externally accessible Asterisk box?

that IP seems to come from http://www.limestonenetworks.com mite be worth putting in an abuse report

Zeon

3916 posts

Uber Geek

Trusted

#594549 13-Mar-2012 13:22

1080p: Pretty much :C

All you can do is work with your provider to see if they will null route the attempts. If you have a residential connection this will be much harder than a business connection with SLA.

Haha not if they are Orcon, flat out refused to null route one of our internal IPs are DDoS to it were taking out our entire rack. Took them 3 months of us begging to finally look at a fix which was a 1gbps port upgrade which solved the issues overnight.

Speedtest 2019-10-14

vespaman

88 posts

Master Geek

#597585 20-Mar-2012 11:30

vpn the best way for remote phones. Iphone + vpn options here - http://www.linuxpinguin.de/2009/06/secure-encrypted-phone-calls-with-your-iphone/