[App_rpt-users] SIP bots, hack attempts? - SSH also

Don Hackler donh at sigma.net
Mon May 21 03:54:08 UTC 2012 

222 is not a particularly common port for ssh.

The 'bots will scan all open ports for any thing that will respond to incoming TCP connections.
I really doesn't matter what port you bind ssh to, it will be found soon enough.

The best thing you could do to deal with brute force attacks is run fail2ban on the system.
It will shut down bad guys after a few failed login attempts.

http://www.fail2ban.org


On May 20, 2012, at 8:03 PM, dave k wrote:

> I am seeing brute force attempts to ssh/222. This is my first time running on 222 so i assumed it would be unknown. Is 222 a common alternative? 
> 
> Sent from Yahoo! Mail on Android
> 
> From: Don Hackler ; 
> To: Tony Youngblood ; 
> Cc: app_rpt-users at ohnosec.org ; 
> Subject: Re: [App_rpt-users] SIP bots, hack attempts? 
> Sent: Mon, May 21, 2012 2:27:51 AM 
> 
> Any VOIP system with exposed SIP ports will get hit regularly by 'bots trying to get in.
> 
> (I mostly see them from China and other Asian countries…)
> 
> First, make sure your system is behind a firewall.  Don't expose any ports you don't absolutely have to.
> 
> Second, use really good passwords on your SIP accounts and anything else that is exposed to the outside.
> 
> Third, make sure that if they manage to hack a SIP account, make sure they can't run up a bunch of charges on an outbound VOIP trunk.
> 
> (If you have a VOIP provider hooked up for outbound calls, only leave enough money prepaid in the account you are willing to risk; maybe $25 or so.  Don't enable international calls.  Don't enable auto-replenishment from a credit card.)
> 
> If they get in, they will route dozens of calls simultaneously through your system.  In a half hour, they can run up thousands of call minutes if you let them.
> 
> 
> 
> 
> On May 20, 2012, at 7:13 PM, Tony Youngblood wrote:
> 
> Interesting discussion I had about sip hacks I had so I checked my log. Any details, advice, insight?
> 
> file is 71,073,169 big!
> 
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fu-min"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fu-tze"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fu-yeung"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fugwo"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fuarnibol"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fuat"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fubler"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fuccellaro"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fuchsberger"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fuck-me-over-some-more"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fucktool"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fudd"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fude"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fudenberg"' failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fudge"' failed for '95.211.167.69' - No matching peer found
> 
> ;(;)
> 
> AllStar 28384
> 
> Irlp 7998 / 7766 / 7926
> 
> Echo 563329
> 
> :(:)
> 
> 
> 
> On May 19, 2012, at 11:00 AM, app_rpt-users-request at ohnosec.org wrote:
> 
> Send App_rpt-users mailing list submissions to
>    app_rpt-users at ohnosec.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> or, via email, send a message with subject or body 'help' to
>    app_rpt-users-request at ohnosec.org
> 
> You can reach the person managing the list at
>    app_rpt-users-owner at ohnosec.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of App_rpt-users digest..."
> 
> Today's Topics:
> 
>   1. adding extensions to acid  all-star repeater (Bradley Haney)
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sat, 19 May 2012 09:19:32 -0500
> From: Bradley Haney 
> To: app_rpt-users at ohnosec.org
> Subject: [App_rpt-users] adding extensions to acid  all-star repeater
> Message-ID: 
> Content-Type: text/plain; charset=us-ascii
> 
> Hello all..
> 
> Been looking through the old forums and trying to get a handle on how to add  SIP extensions to my all-star box.  We are currently running acid distro on our repeater and using the allstarlink auto patch service.   I would like to be able to add a few sip extensions   so when i am on my cell phone i can connect to the repeater and listen or dial  my wife who is a ham on a different extension and ring her phone.   The extensions do not have to have  "outside access" for the auto patch as the extensions would be used for internal communication to and from the repeater or to and from other extensions i add .  Example  extension 123 (which would be a sip client) be able to dial 28079 which is the repeater.  or  a person on the repeater  be able to dial  extension 123 and have the sip client ring.  I have a static ip address so i know that won't be a problem,  just a little confused on how to add everything in the  config files.   Does anyone by  chance have a good working example
>  they could share?  I would try the other distro  but everyone like the web trans idea instead of using echo link  :)    
> 
> Thanks for any help i could get..
> 
> Bradley
> allstar node 28079
> 
> ------------------------------
> 
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> 
> End of App_rpt-users Digest, Vol 39, Issue 22
> *********************************************
> 
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> 
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20120520/0c6e3143/attachment.html>

More information about the App_rpt-users mailing list