[App_rpt-users] SIP bots, hack attempts?

Randy Hammock rhammock.hur at gmail.com
Tue May 22 17:24:45 UTC 2012 

I don't run SIP on my Allstar node; however, I do have an Asterisk PBX that
does run SIP. I took a two pronged approach. I use use fail2ban to lockout
SIP bots that try to connect. I run another utility that is used to block
entire countries. Both utilities use iptables to perform the blocking which
use a few resources as possible. I occasionally analyze my log files to see
where major attempts come from and adjust the blocks from there. I would
like to block everything but allow just the locations desired; however, the
allowed location are all on ISP DHCP addresses. The above have greatly
reduced the amount of bogus traffic on the server.

On Sun, May 20, 2012 at 8:43 PM, George Csahanin <george at dyb.com> wrote:

> **
> Well, glad to know it isn't just me. And how many milliseconds did this
> all take. That's what always amazes me. How quickly the logins come, five
> to ten a second.
>
> GeorgeC
> W2DB
> 2360/2428/28599
>
>
> ----- Original Message -----
> *From:* Tony Youngblood <k5try73 at gmail.com>
> *To:* app_rpt-users at ohnosec.org
> *Sent:* Sunday, May 20, 2012 9:13 PM
> *Subject:* [App_rpt-users] SIP bots, hack attempts?
>
> Interesting discussion I had about sip hacks I had so I checked my log.
> Any details, advice, insight?
>
> file is 71,073,169 big!
>
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fu-min"<
> sip:fu-min at 108.238.216.11 <fu-min at 108.238.216.11>>' failed for '
> 95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fu-tze"<
> sip:fu-tze at 108.238.216.11>' failed for '95.211.167.69' - No matching peer
> found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fu-yeung"<
> sip:fu-yeung at 108.238.216.11>' failed for '95.211.167.69' - No matching
> peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fugwo"<
> sip:fugwo at 108.238.216.11>' failed for '95.211.167.69' - No matching peer
> found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fuarnibol"<
> sip:fuarnibol at 108.238.216.11>' failed for '95.211.167.69' - No matching
> peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fuat"<
> sip:fuat at 108.238.216.11>' failed for '95.211.167.69' - No matching peer
> found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fubler"<
> sip:fubler at 108.238.216.11>' failed for '95.211.167.69' - No matching peer
> found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fuccellaro"<
> sip:fuccellaro at 108.238.216.11>' failed for '95.211.167.69' - No matching
> peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from
> '"fuchsberger"<sip:fuchsberger at 108.238.216.11>' failed for '95.211.167.69'
> - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from
> '"fuck-me-over-some-more"<sip:fuck-me-over-some-more at 108.238.216.11>'
> failed for '95.211.167.69' - No matching peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fucktool"<
> sip:fucktool at 108.238.216.11>' failed for '95.211.167.69' - No matching
> peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fudd"<
> sip:fudd at 108.238.216.11>' failed for '95.211.167.69' - No matching peer
> found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fude"<
> sip:fude at 108.238.216.11>' failed for '95.211.167.69' - No matching peer
> found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fudenberg"<
> sip:fudenberg at 108.238.216.11>' failed for '95.211.167.69' - No matching
> peer found
> [Mar  6 23:59:41] NOTICE[1694] chan_sip.c: Registration from '"fudge"<
> sip:fudge at 108.238.216.11>' failed for '95.211.167.69' - No matching peer
> found
>
> ;(;)
> AllStar 28384
> Irlp 7998 / 7766 / 7926
> Echo 563329
> :(:)
>
>
>
> On May 19, 2012, at 11:00 AM, app_rpt-users-request at ohnosec.org wrote:
>
>  Send App_rpt-users mailing list submissions to
>     <app_rpt-users at ohnosec.org>app_rpt-users at ohnosec.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>     <http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users>
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> or, via email, send a message with subject or body 'help' to
>     <app_rpt-users-request at ohnosec.org>app_rpt-users-request at ohnosec.org
>
> You can reach the person managing the list at
>     <app_rpt-users-owner at ohnosec.org>app_rpt-users-owner at ohnosec.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of App_rpt-users digest..."
>
>
> Today's Topics:
>
>   1. adding extensions to acid  all-star repeater (Bradley Haney)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 19 May 2012 09:19:32 -0500
> From: Bradley Haney <kc9gqr at gmail.com>
> To: <app_rpt-users at ohnosec.org>app_rpt-users at ohnosec.org
> Subject: [App_rpt-users] adding extensions to acid  all-star repeater
> Message-ID: <E3E3A42F-65BD-4B2E-BE21-67654048A29C at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hello all..
>
> Been looking through the old forums and trying to get a handle on how to
> add  SIP extensions to my all-star box.  We are currently running acid
> distro on our repeater and using the allstarlink auto patch service.   I
> would like to be able to add a few sip extensions   so when i am on my cell
> phone i can connect to the repeater and listen or dial  my wife who is a
> ham on a different extension and ring her phone.   The extensions do not
> have to have  "outside access" for the auto patch as the extensions would
> be used for internal communication to and from the repeater or to and from
> other extensions i add .  Example  extension 123 (which would be a sip
> client) be able to dial 28079 which is the repeater.  or  a person on the
> repeater  be able to dial  extension 123 and have the sip client ring.  I
> have a static ip address so i know that won't be a problem,  just a little
> confused on how to add everything in the  config files.   Does anyone by
>  chance have a good working example
>  they could share?  I would try the other distro  but everyone like the
> web trans idea instead of using echo link  :)
>
> Thanks for any help i could get..
>
> Bradley
> allstar node 28079
>
> ------------------------------
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
>
> End of App_rpt-users Digest, Vol 39, Issue 22
> *********************************************
>
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>
>


-- 
Randy Hammock
Phone: 818-925-4576
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20120522/dcb858b6/attachment.html>

More information about the App_rpt-users mailing list