返回列表 發帖

Block hackers attack

I read this

Just in case anyone is using Blockhosts
(http://www.aczoom.com/blockhosts/) with their Linux servers and
Asterisk here are the rules necessary to block invalid users:


"asterisk-NoPeer":
r'Registration from .* failed for \'{HOST_IP}\' - No matching peer
found',

"asterisk-NoAuth":
r'Registration from .* failed for \'{HOST_IP}\' - Username/auth name
mismatch',

"asterisk-NoPass":
r'Registration from .* failed for \'{HOST_IP}\' - Wrong password',

       Just add these rules to your /etc/blockhosts.conf file.

係咪同fail2ban 同一功能架。。

TOP

最近一批黑客 ip addresses
  1. iptables -A INPUT -s  220.177.198.0/24 -j DROP
  2. iptables -A INPUT -s  116.10.191.0/24 -j DROP
  3. iptables -A INPUT -s  119.39.124.0/24 -j DROP
  4. iptables -A INPUT -s  61.174.51.0/24 -j DROP
  5. iptables -A INPUT -s  67.222.1.0/24 -j DROP
  6. iptables -A INPUT -s  190.14.159.0/24 -j DROP
  7. iptables -A INPUT -s  222.186.38.0/24 -j DROP
  8. iptables -A INPUT -s  190.14.159.0/24 -j DROP
  9. iptables -A INPUT -s  1.93.34.0/24 -j DROP
  10. iptables -A INPUT -s  66.135.55.0/24 -j DROP
  11. iptables -A INPUT -s  222.186.38.0/24 -j DROP
  12. iptables -A INPUT -s  211.157.179.0/24 -j DROP
  13. iptables -A INPUT -s  61.147.103.0/24 -j DROP
  14. iptables -A INPUT -s  115.239.248..0/24 -j DROP
  15. iptables -A INPUT -s  1.93.24.0/24 -j DROP
  16. iptables -A INPUT -s  42.62.17.0/24 -j DROP
  17. iptables -A INPUT -s  220.177.198.0/24 -j DROP
  18. iptables -A INPUT -s  87.106.49.0/24 -j DROP
  19. iptables -A INPUT -s  123.125.8.0/24 -j DROP
  20. iptables -A INPUT -s  61.136.171.0/24 -j DROP
複製代碼

TOP

本帖最後由 bubblestar 於 2010-10-27 11:16 編輯

Securing Asterisk

"The Asterisk source contains a very important file named SECURITY, which outlines several steps you should take to keep your Asterisk systemsecure. It is vitally important that you read and understand this file. If you ignore the security precautions outlined there, you may end up allowing anyone and everyone to make long-distance or toll calls at your expense!"
  1. Create a user account that will be used to run Asterisk: adduser --system --no-create-home --home /var/lib/asterisk --shell /bin/false asterisk
  2. vim /etc/init.d/asterisk

  3. #Uncomment those lines
  4. AST_USER="asterisk"
  5. AST_GROUP="asterisk"
  6.   
  7. mkdir /var/run/asterisk
  8. chown asterisk.asterisk /var/run/asterisk  
  9. vim /etc/asterisk/asterisk.conf

  10. astrundir => /var/run/asterisk
  11.   
  12. chown -R asterisk.asterisk /etc/asterisk
  13. chown -R asterisk.asterisk /usr/lib/asterisk
  14. chown -R asterisk.asterisk /var/log/asterisk
  15. chown -R asterisk.asterisk /var/spool/asterisk
  16. chown -R asterisk.asterisk /var/lib/asterisk
  17. chown -R asterisk.asterisk /dev/zap/pseudo
  18. Launch Asterisk in debug mode to check that it loads OK:

  19. asterisk -U asterisk -G asterisk -cvv
  20.   
  21. CTRL-C to close
複製代碼
該網站說這個調教對ATERISK 的保安是非常重要,說不可不知,但不知是否真的有效,信者不妨一試。

TOP

Default in switchfin firmware
allowauthreject = yes
  1. Global Settings:
  2. ----------------
  3.   SIP Port:               5060
  4.   Bindaddress:            0.0.0.0
  5.   Videosupport:           No
  6.   AutoCreatePeer:         No
  7.   Allow unknown access:   No
  8.   Allow subscriptions:    Yes
  9.   Allow overlap dialing:  Yes
  10.   Promsic. redir:         No
  11.   SIP domain support:     No
  12.   Call to non-local dom.: Yes
  13.   URI user is phone no:   No
  14.   Our auth realm          Realm
  15.   Realm. auth:            No
  16.   Always auth rejects:    Yes
  17.   Call limit peers only:  No
  18.   Direct RTP setup:       No
  19.   User Agent:             SwitchFin PBX
  20.   MWI checking interval:  10 secs
  21.   Reg. context:           (not set)
  22.   Caller ID:              asterisk
  23.   From: Domain:           
  24.   Record SIP history:     Off
  25.   Call Events:            Off
  26.   IP ToS SIP:             none
  27.   IP ToS RTP audio:       EF
  28.   IP ToS RTP video:       CS3
  29.   T38 fax pt UDPTL:       No
  30.   RFC2833 Compensation:   No
  31.   SIP realtime:           Disabled

  32. Global Signalling Settings:
  33. ---------------------------
  34.   Codecs:                 0x10e (gsm|ulaw|alaw|g729)
  35.   Codec Order:            alaw:20,ulaw:20,gsm:20,g729:20
  36.   T1 minimum:             100
  37.   No premature media:     No
  38.   Relax DTMF:             No
  39.   Compact SIP headers:    No
  40.   RTP Keepalive:          0 (Disabled)
  41.   RTP Timeout:            0 (Disabled)
  42.   RTP Hold Timeout:       0 (Disabled)
  43.   MWI NOTIFY mime type:   application/simple-message-summary
  44.   DNS SRV lookup:         Yes
  45.   Pedantic SIP support:   No
  46.   Reg. min duration       60 secs
  47.   Reg. max duration:      3600 secs
  48.   Reg. default duration:  120 secs
  49.   Outbound reg. timeout:  20 secs
  50.   Outbound reg. attempts: 0
  51.   Notify ringing state:   Yes
  52.   Notify hold state:      No
  53.   SIP Transfer mode:      open
  54.   Max Call Bitrate:       384 kbps
  55.   Auto-Framing:           No

  56. Default Settings:
  57. -----------------
  58.   Context:                default
  59.   Nat:                    Always
  60.   DTMF:                   rfc2833
  61.   Qualify:                2000
  62.   Use ClientCode:         No
  63.   Progress inband:        Never
  64.   Language:               (Defaults to English)
  65.   MOH Interpret:          default
  66.   MOH Suggest:            
  67.   Voice Mail Extension:   asterisk
複製代碼

TOP

不是default=yes,我晕!!!!希望有所改善。

角色

TOP

你是否有set alwaysauthreject=yes? (应该是default的)

角色
角色 發表於 2010-10-20 16:39

剛剛set了...
我的default好像是no...

TOP

你是否有set alwaysauthreject=yes? (应该是default的)

角色

TOP

你把你的port 22改成比的port number看看是否有好转?

角色
角色 發表於 2010-10-20 07:44

它好像是attac我的asterisk...
不斷retry login我的6001帳號...

TOP

你把你的port 22改成比的port number看看是否有好转?

角色

TOP

今天我的asterisk又有人企圖入侵了...
這次是德國...
(而且還看到host是這個...srv-bg07.sicor.net)

IP Address         86.110.67.42
Host         srv-bg07.sicor.net
Location         DE DE, Germany
City         Grönenbach, 02 -
Organization         SICOR GmbH
ISP         Trusted Network
AS Number         AS21385 Trusted Network GmbH
Latitude         47°88'33" North
Longitude         10°21'67" East
Distance         1174.47 km (729.78 miles)

TOP

當然Asterisk要先設定好...
因為Firewall可以block的只可以在事發後......

TOP

如果有Firewall会更加好,如果没有Asterisk server settings也要注意。

角色

TOP

經過3天多後...來自山東的那位也放棄了...

因為我在Firewall block了它的IP...
莫說是asterisk...請先過了Linux Firewall那一關吧(總好過沒有吧~)

TOP

I have this already alwaysauthreject=yes

TOP

返回列表