Задать вопрос
@krll-k

Как обезопасить asterisk сервер? Как можно закрыть эту уязвимости не прибегая к vpn и fail2ban?

За двое суток log файл asterisk перевалил за отметку в 780мб, кто то меня брутит:
root@localhost:~/asterisk# head messages                                                                                                                 
[Nov 24 12:51:31] Asterisk 13.10.0 built by root @ 6250540837a8 on a x86_64 running Linux on 2016-07-25 14:14:41 UTC                                     
[Nov 24 12:51:31] NOTICE[8] cdr.c: CDR simple logging enabled.                                                                                           
[Nov 24 12:51:32] NOTICE[8] loader.c: 226 modules will be loaded.                                                                                        
[Nov 24 12:51:32] WARNING[8] res_phoneprov.c: Unable to find a valid server address or name.                                                             
[Nov 24 12:51:32] ERROR[8] ari/config.c: No configured users for ARI                                                                                     
[Nov 24 12:51:32] NOTICE[8] chan_sip.c: The 'username' field for sip peers has been deprecated in favor of the term 'defaultuser'                        
[Nov 24 12:51:32] WARNING[8] sip/config_parser.c: nat=yes is deprecated, use nat=force_rport,comedia instead                                             
[Nov 24 12:51:32] WARNING[8] chan_sip.c: !!! PLEASE NOTE: Setting 'nat' for a peer/user that differs from the  global setting can make                   
[Nov 24 12:51:32] WARNING[8] chan_sip.c: !!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users                
[Nov 24 12:51:32] WARNING[8] chan_sip.c: !!! will be sent to a different port than replies for an existing peer/user. If at all possible,                
root@localhost:~/asterisk# tail messages                                                                                                                 
Packet timed out after 32000ms with no response                                                                                                          
[Nov 25 23:57:07] NOTICE[37][C-0000a96f] chan_sip.c: Call from '' (108.170.60.142:5071) to extension '9065600972595301348' rejected because extension not
 found in context 'default'.                                                                                                                             
[Nov 25 23:57:39] WARNING[37] chan_sip.c: Retransmission timeout reached on transmission ace2e3e6caf09d7f54965e20eb03f20e for seqno 1 (Critical Response)
 -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions                                                                                   
Packet timed out after 31999ms with no response                                                                                                          
[Nov 25 23:58:26] NOTICE[37][C-0000a970] chan_sip.c: Call from '' (209.126.117.223:5075) to extension '0046812410067' rejected because extension not foun
d in context 'default'.                                                                                                                                  
[Nov 25 23:58:58] WARNING[37] chan_sip.c: Retransmission timeout reached on transmission ff9ef074b2e70216711155069958df86 for seqno 1 (Critical Response)
 -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions                                                                                   
Packet timed out after 32000ms with no response                                                                                                          
[Nov 25 23:58:59] NOTICE[37][C-0000a971] chan_sip.c: Call from '' (108.170.60.142:5083) to extension '9065700972595301348' rejected because extension not
 found in context 'default'.                                                                                                                             
[Nov 25 23:59:31] WARNING[37] chan_sip.c: Retransmission timeout reached on transmission 426db11f3cc68e3d0fe1f71c3694fcdc for seqno 1 (Critical Response)
 -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions                                                                                   
Packet timed out after 32000ms with no response                                                                                                          
root@localhost:~/asterisk# ls -lah messages                                                                                                              
-rw-r--r-- 1 root root 784M Nov 25 23:59 messages

Атака пошла тут:
[Nov 24 21:23:06] WARNING[37] chan_sip.c: Timeout on 35a9eefa76144d9fe03c8546960616cb on non-critical invite transaction.                                
[Nov 24 21:25:36] WARNING[37] chan_sip.c: Timeout on 05726585e2c7568c6f3e8b6525a96b74 on non-critical invite transaction.                                
[Nov 24 21:26:13] WARNING[37] chan_sip.c: Timeout on f5b008387608ac2f40da432b58ae4f78 on non-critical invite transaction.                                
[Nov 24 21:28:59] WARNING[37] chan_sip.c: Timeout on b61a9bb195fdf1ed3933a20af295bee3 on non-critical invite transaction.                                
[Nov 24 21:29:21] WARNING[37] chan_sip.c: Timeout on 83af82fb0973e905945a135f2847c1ac on non-critical invite transaction.                                
[Nov 24 21:32:24] WARNING[37] chan_sip.c: Timeout on 3a5f0670cd0d414aaa9a9cd190ea8d95 on non-critical invite transaction.                                
[Nov 24 21:32:29] WARNING[37] chan_sip.c: Timeout on 45aa81266b8662a801bd3dfe1610a931 on non-critical invite transaction.                                
[Nov 24 21:35:37] WARNING[37] chan_sip.c: Timeout on 86c8489a4296c68665f7f41c85dc43bb on non-critical invite transaction.                                
[Nov 24 21:35:49] WARNING[37] chan_sip.c: Timeout on 514e5eb264537a2e2f537f21247a5f5d on non-critical invite transaction.                                
[Nov 24 21:38:45] WARNING[37] chan_sip.c: Timeout on 648d52bc903d7ff2fb7bbdf9e4344275 on non-critical invite transaction.                                
[Nov 24 21:39:16] WARNING[37] chan_sip.c: Timeout on 4cc3d91808e4cec4aec54dca1b00d431 on non-critical invite transaction.                                
[Nov 24 21:41:58] WARNING[37] chan_sip.c: Timeout on 82144a0cd0f5e7b57512ec96569e83d0 on non-critical invite transaction.                                
[Nov 24 21:42:38] WARNING[37] chan_sip.c: Timeout on c9155cdea52eefabd126edfbc45f731b on non-critical invite transaction.                                
[Nov 24 21:45:08] WARNING[37] chan_sip.c: Timeout on 00fabdfe888a88d4dc0bb12ae9fc0b15 on non-critical invite transaction.                                
[Nov 24 21:46:05] WARNING[37] chan_sip.c: Timeout on a23d6f5d7d6570559ebf949080ede697 on non-critical invite transaction.                                
[Nov 24 21:47:22] NOTICE[37][C-00000104] chan_sip.c: Call from '' (195.154.172.203:5076) to extension '0046192777619' rejected because extension not foun
d in context 'default'.                                                                                                                                  
[Nov 24 21:48:19] WARNING[37] chan_sip.c: Timeout on c625522c356c3c1022a7c135020ab851 on non-critical invite transaction.                                
[Nov 24 21:49:32] WARNING[37] chan_sip.c: Timeout on 7c8d2668bfcd1249b6e0f6a036f5ab7c on non-critical invite transaction.                                
[Nov 24 21:50:10] NOTICE[37][C-00000107] chan_sip.c: Call from '1001' (195.154.172.203:5082) to extension '0046192777619' rejected because extension not 
found in context 'phones'.                                                                                                                               
[Nov 24 21:51:27] WARNING[37] chan_sip.c: Timeout on efdd0a47f266af9224fa0beeec754173 on non-critical invite transaction.                                
[Nov 24 21:52:52] NOTICE[37][C-0000010a] chan_sip.c: Call from '' (195.154.172.203:5100) to extension '0046192777619' rejected because extension not foun
d in context 'default'.                                                                                                                                  
[Nov 24 21:52:59] WARNING[37] chan_sip.c: Timeout on da66bf1125e7f45737426699eb15f87e on non-critical invite transaction.                                
[Nov 24 21:54:32] WARNING[37] chan_sip.c: Timeout on 9af369fb7a8f66cfa18c88639de1f86c on non-critical invite transaction.                                
[Nov 24 21:55:44] NOTICE[37][C-0000010c] chan_sip.c: Call from '' (195.154.172.203:5074) to extension '0046192777619' rejected because extension not foun
d in context 'default'.                                                                                                                                  
[Nov 24 21:56:24] WARNING[37] chan_sip.c: Timeout on 3067d1dc33709034d89da8bfd1093a3a on non-critical invite transaction.                                
[Nov 24 21:57:39] WARNING[37] chan_sip.c: Timeout on 16d284023bd626e4fa945bb6d01c3325 on non-critical invite transaction.                                
[Nov 24 21:58:43] NOTICE[37][C-0000010f] chan_sip.c: Call from '' (195.154.172.203:5094) to extension '0046192777619' rejected because extension not foun
d in context 'default'.

Похоже на сканирование zmap. Как можно закрыть эту уязвимость не прибегая к vpn и fail2ban?
  • Вопрос задан
  • 3281 просмотр
Подписаться 2 Средний Комментировать
Пригласить эксперта
Ответы на вопрос 4
@krll-k Автор вопроса
На все подозрительные сообщения смотреть заголовки через tcpdump и добавлять новые правила Iptables:
-A INPUT -p udp -m udp —dport 5060 -m string —string «sipcli» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «sip-scan» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «iWar» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «sipvicious» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «sipsak» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «sundayddr» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «VaxSIPUserAgent» —algo bm —to 65535 -j DROP
-A INPUT -p udp -m udp —dport 5060 -m string —string «friendly-scanner» —algo bm —to 65535 -j DROP
Ответ написан
@antonsr98
Системный Администратор
спрячьте за firewall, доступ через vpn сервер
Ответ написан
Комментировать
gadzhi15
@gadzhi15
Так же поменяйте стандартный порт в Sip.conf
Ответ написан
Комментировать
@UserAd
Пока будете держать asterisk на стандартном порту вас будут сканировать и пытаться перебрать. Фрод в VoIP очень прибыльное дело. Попробуйте перевесить asterisk на другой порт, сменить ему User-Agent и включить alwaysauthreject.
Ответ написан
Комментировать
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы