Board logo

標題: 請問這個asterisk log是否嘗試被入侵? [打印本頁]
作者: SuiYan    時間: 2013-4-6 17:49     標題: 請問這個asterisk log是否嘗試被入侵?

請問這個asterisk log是否嘗試被入侵? 足足2分鐘.
[Apr  6 16:14:11] NOTICE[25705][C-0000003d] chan_sip.c: Call from '' (37.8.60.34:20376) to extension '001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:12] NOTICE[25705][C-0000003e] chan_sip.c: Call from '' (37.8.60.34:28195) to extension '0001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:13] NOTICE[25705][C-0000003f] chan_sip.c: Call from '' (37.8.60.34:28195) to extension '00001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:17] NOTICE[25705][C-00000040] chan_sip.c: Call from '' (37.8.60.34:20698) to extension '0000001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:18] NOTICE[25705][C-00000041] chan_sip.c: Call from '' (37.8.60.34:20754) to extension '*001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:19] NOTICE[25705][C-00000042] chan_sip.c: Call from '' (37.8.60.34:20699) to extension '**001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:19] NOTICE[25705][C-00000043] chan_sip.c: Call from '' (37.8.60.34:29815) to extension '+001972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:20] NOTICE[25705][C-00000044] chan_sip.c: Call from '' (37.8.60.34:29815) to extension '+972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:21] NOTICE[25705][C-00000045] chan_sip.c: Call from '' (37.8.60.34:20754) to extension '*972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:22] NOTICE[25705][C-00000046] chan_sip.c: Call from '' (37.8.60.34:20464) to extension '0080972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:22] NOTICE[25705][C-00000047] chan_sip.c: Call from '' (37.8.60.34:20464) to extension '90080972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:23] NOTICE[25705][C-00000048] chan_sip.c: Call from '' (37.8.60.34:20376) to extension '80080972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:24] NOTICE[25705][C-00000049] chan_sip.c: Call from '' (37.8.60.34:29806) to extension '009972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:25] NOTICE[25705][C-0000004a] chan_sip.c: Call from '' (37.8.60.34:29806) to extension '9009972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:25] NOTICE[25705][C-0000004b] chan_sip.c: Call from '' (37.8.60.34:29815) to extension '99009972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:26] NOTICE[25705][C-0000004c] chan_sip.c: Call from '' (37.8.60.34:29816) to extension '8009972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:27] NOTICE[25705][C-0000004d] chan_sip.c: Call from '' (37.8.60.34:29811) to extension '88009972592646879' rejected because extension not found in context 'default'.
[Apr  6 16:14:27] NOTICE[25705][C-0000004e] chan_sip.c: Call from '' (37.8.60.34:29811) to extension '9001972592646879' rejected because extension not found in context 'default'.
作者: 角色    時間: 2013-4-6 22:37

是的,所以你的extensions,不能用简单,起码8位,其他两为为英文字。
作者: SuiYan    時間: 2013-4-6 22:41

無理由會知我的ip address, 然後打入來試.
作者: 角色    時間: 2013-4-6 22:55

它当然不知道,hacker都乱碰的,因为你有feedback,所以hacker继续hack你的Asterisk Server。
你的应该用

sip.conf

[general]
alwaysauthreject=yes

去reject所有requeest,不让hacker知道只是密码不对,继续hack你的秘密。这一句想大陆人回答问题,问什么都以同一个答案:“不知道!”, 就是extension或者密码,通通回答:不知道!那么hacker都不知道是extension不对,还是密码不对,让hacker都不知道怎样是好!
作者: SuiYan    時間: 2013-4-7 00:58

謝謝.

立即改了, 和加強了密碼.
作者: 角色    時間: 2013-4-7 08:31

回復 5# SuiYan

还有你的Asterisk Server的Linux的port 22,最好不开,因为hacker会hack你的Linux系统,如果你的Linux root admin password不够复杂或者够长的话,他们hack到你的router后,你的Asterisk server就惨了!

1)例如我的port 22,用前面的router把它改成其他port,或者port 22 blocked (router做),然后用VPN进入你系统的网络。
2)Linux Root Administration Password, 像我的Root Password是13位。
3)Asterisk Extension password, 像我,CCNNNNNN,前面两个characters,后面六个是numerical digits。
4)再加上我之前跟你说的东西。
作者: SuiYan    時間: 2013-4-7 20:53

謝謝. 我沒有開port 21/22 給router 入來.
我要時. remote wake on lan Power-on屋企部電腦, 再vnc 電腦去telnet/ssh..
另外PORT 8088 也沒有對外開放.
作者: 浮雲1965    時間: 2013-4-9 18:31

本帖最後由 浮雲1965 於 2013-4-9 18:38 編輯

請問如果是Elastix, 好似是不建議手動改sip.conf, 那應該如何加入?

[general]
alwaysauthreject=yes

是不是就是Elsatix內的General Settings內的
Security Settings
Allow Anonymous Inbound SIP Calls:    NO

由于我的Elastix server是放在Data Center的,
Elastix server, 可不可以加多一個內網網卡,接內網, 我用openvpn進入內網,再來管理個Elastix server?



謝謝!
作者: SuiYan    時間: 2013-4-11 01:05

連續鑑測asterisk log, 這3天入有不斷入侵.
今天最利害, 全日每2小時一次, 每次半小時, 幾秒一次入侵. 早上8點至到現在.
所以, 剛剛關了那asterisk 和 router port forward.
作者: Qnewbie    時間: 2013-4-11 02:08

It is the main reason to change my router with RB750G: to tackle the SIP registration attacks.
作者: 電腦超人    時間: 2013-4-11 15:21

最近好像有不少這類CASE...
我的幾台asterisk好像也有類似的情況...

不過我相信除了password外...dialplan的設定也很重要...
我的dialplan設定只能撥出免費的通話的...
(例如致電香港的是9+XXXXXXXX(8個數字,不多不少))
作者: 角色    時間: 2013-4-11 20:06

回復 10# Qnewbie

What did you do in your RB?
作者: SuiYan    時間: 2013-4-11 22:24

我昨晚睡前. 把bb modem關掉. 好讓hkbn把我的ip address轉換另一個.
看看入侵者是根據IP ADDRESS 還是根據 DDNS DOMAIN
作者: Qnewbie    時間: 2013-4-12 04:16

My settings for RB(all my remote contacts have either fix-ips or DDNS):
http://www.telecom-cafe.com/forum/viewthread.php?tid=4330

I think attacks are IP-based not DDNS-based(in my own experience).
作者: SuiYan    時間: 2013-4-12 21:40

發現有些來源.

話說. 轉了ip Address後, 2天也沒有發現有被attack.
但今日下午約3:30. 在手機用過iptel.org 打過電話返屋企, 打的電話用 1234@xxxx.ddns.org
linphone.org 打去我的1234@xxxx.ddns.org.

跟住. 在5點多, 就開始發現有被ATTACK.
作者: 角色    時間: 2013-4-12 22:27

如果是的Asterisk是PC,不怕hacker attacks。
作者: SuiYan    時間: 2013-4-12 22:39

我的是nas, 放在buffalo link station pro
作者: 角色    時間: 2013-4-12 22:49

那么你按照我之前所说的去做,不用担心他去hack你。



歡迎光臨 電訊茶室 (http://telecom-cafe.com/forum/) Powered by Discuz! 7.2