Board logo

標題: My Asterisk attacked by a hecker for two hours [打印本頁]
作者: 角色    時間: 2010-9-4 18:28     標題: My Asterisk attacked by a hecker for two hours

Please see the following excerpted log from /var/log/asterisk/message
  1. 3236 [Sep  4 11:31:56] NOTICE[3134] chan_sip.c: Registration from '"4137092962"<sip:4137092962@218.18.43.163>' failed for '188.25.53.200' - No matching peer found

  3. 3237 [Sep  4 11:31:57] NOTICE[3134] chan_sip.c: Registration from '"1"<sip:1@218.18.43.163>' failed for '188.25.53.200' - No matching peer found
  4. .
  5. .
  6. .
  7. 13223 [Sep  4 11:34:35] NOTICE[3134] chan_sip.c: Registration from '"9999"<sip:9999@218.18.43.163>' failed for '188.25.53.200' - No matching peer found

  9. 13224 [Sep  4 11:34:39] NOTICE[3134] chan_sip.c: Registration from '"3026" <sip:3026@218.18.43.163>' failed for '188.25.53.200' - Wrong password
  10. .
  11. .
  12. .
  13. 33337 [Sep  4 13:30:59] NOTICE[8688] chan_sip.c: Registration from '"3022" <sip:3022@218.18.43.163>' failed for '188.25.53.200' - Wrong password
複製代碼
The hecker started with s sip URL=sip:4137092962@218.18.43.163 to check whether a Asterisk server exists or not. If exists, it started to scan any matching peer. If found, the heckers started to guss the password for that extension. My Asterisk server was being hecked from Sep  4 11:31:56 and ended at Sep  4 13:30:59. The duration was around two hours. It generated 30102 messages in /var/log/asterisk/messages file.

It is highly recommended to set your password to a 10-digit string, which may consist lower/upper case letters and numbers. For instance, CcXXXXXXCc, where C denotes upper case letter, c lower case letter, and X number. The combination will be 26x26 * 26x26 * 10 * 10 * 10 * 10 * 10 * 26x26 * 26x26 = 208827064576000000. If the hecker can try 100 times in a second, it requires 66218627 years in maxium to the correct password to that extension. As a result, it almost impossible to do so.

YH
作者: TsinTsin    時間: 2010-9-4 20:10

don't use the standard sip port number eg:5060...

disable all the remote management for public access and set Allow/Access List for local access
作者: TsinTsin    時間: 2010-9-4 20:15

change the password, don't forget your :
centos root pw, asterisk ac pw, mysql root pw
作者: 角色    時間: 2010-9-4 20:16

Thank you very much for your advice.

YH



歡迎光臨 電訊茶室 (http://telecom-cafe.com/forum/) Powered by Discuz! 7.2