請問這個asterisk log是否嘗試被入侵?

SuiYan

請問這個asterisk log是否嘗試被入侵? 足足2分鐘.

[Apr  6 16:14:11] NOTICE[25705][C-0000003d] chan_sip.c: Call from '' (37.8.60.34:20376) to extension '001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:12] NOTICE[25705][C-0000003e] chan_sip.c: Call from '' (37.8.60.34:28195) to extension '0001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:13] NOTICE[25705][C-0000003f] chan_sip.c: Call from '' (37.8.60.34:28195) to extension '00001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:17] NOTICE[25705][C-00000040] chan_sip.c: Call from '' (37.8.60.34:20698) to extension '0000001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:18] NOTICE[25705][C-00000041] chan_sip.c: Call from '' (37.8.60.34:20754) to extension '*001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:19] NOTICE[25705][C-00000042] chan_sip.c: Call from '' (37.8.60.34:20699) to extension '**001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:19] NOTICE[25705][C-00000043] chan_sip.c: Call from '' (37.8.60.34:29815) to extension '+001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:20] NOTICE[25705][C-00000044] chan_sip.c: Call from '' (37.8.60.34:29815) to extension '+972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:21] NOTICE[25705][C-00000045] chan_sip.c: Call from '' (37.8.60.34:20754) to extension '*972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:22] NOTICE[25705][C-00000046] chan_sip.c: Call from '' (37.8.60.34:20464) to extension '0080972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:22] NOTICE[25705][C-00000047] chan_sip.c: Call from '' (37.8.60.34:20464) to extension '90080972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:23] NOTICE[25705][C-00000048] chan_sip.c: Call from '' (37.8.60.34:20376) to extension '80080972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:24] NOTICE[25705][C-00000049] chan_sip.c: Call from '' (37.8.60.34:29806) to extension '009972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:25] NOTICE[25705][C-0000004a] chan_sip.c: Call from '' (37.8.60.34:29806) to extension '9009972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:25] NOTICE[25705][C-0000004b] chan_sip.c: Call from '' (37.8.60.34:29815) to extension '99009972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:26] NOTICE[25705][C-0000004c] chan_sip.c: Call from '' (37.8.60.34:29816) to extension '8009972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:27] NOTICE[25705][C-0000004d] chan_sip.c: Call from '' (37.8.60.34:29811) to extension '88009972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:27] NOTICE[25705][C-0000004e] chan_sip.c: Call from '' (37.8.60.34:29811) to extension '9001972592646879' rejected because extension not found in context 'default'.

角色

是的，所以你的extensions，不能用简单，起码8位，其他两为为英文字。

SuiYan

無理由會知我的ip address, 然後打入來試.

角色

它当然不知道，hacker都乱碰的，因为你有feedback，所以hacker继续hack你的Asterisk Server。
你的应该用

sip.conf

[general]
alwaysauthreject=yes

去reject所有requeest，不让hacker知道只是密码不对，继续hack你的秘密。这一句想大陆人回答问题，问什么都以同一个答案：“不知道！”， 就是extension或者密码，通通回答：不知道！那么hacker都不知道是extension不对，还是密码不对，让hacker都不知道怎样是好！

SuiYan

謝謝.

立即改了, 和加強了密碼.

角色

回復 5# SuiYan

还有你的Asterisk Server的Linux的port 22，最好不开，因为hacker会hack你的Linux系统，如果你的Linux root admin password不够复杂或者够长的话，他们hack到你的router后，你的Asterisk server就惨了！

1）例如我的port 22，用前面的router把它改成其他port，或者port 22 blocked （router做），然后用VPN进入你系统的网络。
2）Linux Root Administration Password, 像我的Root Password是13位。
3）Asterisk Extension password, 像我，CCNNNNNN，前面两个characters，后面六个是numerical digits。
4）再加上我之前跟你说的东西。

SuiYan

謝謝. 我沒有開port 21/22 給router 入來.
我要時. remote wake on lan Power-on屋企部電腦, 再vnc 電腦去telnet/ssh..
另外PORT 8088 也沒有對外開放.

浮雲1965

請問如果是Elastix, 好似是不建議手動改sip.conf, 那應該如何加入？

[general]
alwaysauthreject=yes

是不是就是Elsatix內的General Settings內的
Security Settings
Allow Anonymous Inbound SIP Calls：    NO

由于我的Elastix server是放在Data Center的，
Elastix server, 可不可以加多一個內網網卡，接內網， 我用openvpn進入內網，再來管理個Elastix server?



謝謝！

SuiYan

連續鑑測asterisk log, 這3天入有不斷入侵.
今天最利害, 全日每2小時一次, 每次半小時, 幾秒一次入侵. 早上8點至到現在.
所以, 剛剛關了那asterisk 和 router port forward.

Qnewbie

It is the main reason to change my router with RB750G: to tackle the SIP registration attacks.

電腦超人

最近好像有不少這類CASE...
我的幾台asterisk好像也有類似的情況...

不過我相信除了password外...dialplan的設定也很重要...
我的dialplan設定只能撥出免費的通話的...
(例如致電香港的是9+XXXXXXXX(8個數字,不多不少))

角色

回復 10# Qnewbie

What did you do in your RB?

SuiYan

我昨晚睡前. 把bb modem關掉. 好讓hkbn把我的ip address轉換另一個.
看看入侵者是根據IP ADDRESS 還是根據 DDNS DOMAIN

Qnewbie

My settings for RB(all my remote contacts have either fix-ips or DDNS):
http://www.telecom-cafe.com/forum/viewthread.php?tid=4330

I think attacks are IP-based not DDNS-based(in my own experience).

SuiYan

發現有些來源.

話說. 轉了ip Address後, 2天也沒有發現有被attack.
但今日下午約3:30. 在手機用過iptel.org 打過電話返屋企, 打的電話用 1234@xxxx.ddns.org 和
linphone.org 打去我的1234@xxxx.ddns.org.

跟住. 在5點多, 就開始發現有被ATTACK.