So many hackers?

I apologize but I am quite new to this.

I’m running the FreePBX 12/Asterisk 11 distro. I have 3 trunks, two SIP and one analog through a Cisco SPA8800, 3 remote SIP extensions, 1 remote IAX2 device, and 3 local SIP extensions, including one analog line through a Cisco SPA 8800. Everything is working perfectly.

I’ve set intrusion detection to permanently ban IPs after 2 failed attempts. When I first set up my system, I would get one, maybe two hack attempts a day. Lately, however, I’ve been getting huge numbers of them. About 2 weeks ago, I copied my system over to an SSD which, of course, required a cold restart. In just two weeks, this is list of IPs from Fail2Ban:

Are there really that many scummy would-be hackers out there?

Short answer, yes. Defending systems can be a full time job.

the problem is it takes zero skill to run these scanners and scripts so everyone and their brother are doing it. More skilled attackers may have botnets with multiple systems attacking. some suggest fail2ban and iptables is “good enough” but the right attacker with the right motivation can tear through that or equally as bad use your tools against you in a denial of service attack. note “the right attacker” is not super common. Again most of these scans are coming from some guy in his moms basement with no real skills except a wicked ability to “cut n’ paste.”

Some of these scans are also security researchers. They have no ill will and are just collecting statistics. Often if you look at the headers you will find contact info to be request removal from their scans.

People who are concerned about over all security and the potential that they may be the one chosen by the bad people who warrant true concern should look at adding security in layers.

Something like an SBC could mitigate some of these attacks. In certain regions, with certain ISP’s and in certain industries you are more likely to get hit with a direct attack rather than just being passively scanned. It is always a good idea to read through the logs that lead to these bans to see if there is any pattern.

Most of the attacks are actually from cloud server instances, my guess paid for by “Chinese Unversities” as they have directly largely disappeared, I posted a script here to locate the network from the ip and ban the whole network rather than the individual IP in a permanent fashion at the firewall rather than the phemeral gfail2ban that old versions of fail2ban use. This is the output (formatted for CSF’s /etc/csf/csf.deny (or csf.allow if you run a similar set through your wandering users) )

 for i in `cat fb`;do ip2route $i;done      # ARIN    US NODESDIRECT                              Nodes Direct    # ARIN    US BFL-22                                   Black Fox Limited      # ARIN    US MSFT                                     Microsoft Corporation    # ARIN    US DSV4-8                                   DataShack, LC    # ARIN    US BFL-22                                   Black Fox Limited   # RIPE    GB RSDEDI-BLAKKIKJ                          Dedicated Server Hosting  # APNIC   US NETBLK-SOFTLAYER-APNIC-CUST-JMPA1-AP     farescow   # APNIC   GB NETBLK-SOFTLAYER-APNIC-CUST-ZZ3505-AP    Zhaoyu ZHONG    # ARIN    US DSV4-4                                   DataShack, LC     # ARIN    US NODESDIRECT                              Nodes Direct   # RIPE    GB RSDEDI-ADOCANNB                          Dedicated Server Hosting    # RIPE    FR OVH                                      OVH SASDedicated servershttp   # RIPE    FR OVH                                      OVH SASDedicated Servershttp  # RIPE    GB RSDEDI-EIDCLKGE                          Dedicated Server Hosting   # RIPE    GB IOMARTHOSTING                            iomart Hosting Limited   # ARIN    US DSV4-5                                   DataShack, LC   # ARIN    US DSV4-5                                   DataShack, LC    # ARIN    US DSV4-7                                   DataShack, LC  # ARIN    US DS-98-242-246                            urhostscom   # RIPE    FR FR-ILIAD-ENTREPRISES-CUSTOMERS           Iliad Entreprises Customers   # RIPE    FR FR-ILIAD-ENTREPRISES-CUSTOMERS           Iliad Entreprises Customers   # ARIN    US DSV4-6                                   DataShack, LC # ARIN    US DS-251-194-254                           Zhou Pizhong # ARIN    US DS-252-250-254                           EConsulters Web   # ARIN    US CHOOPA-NETBLK04                          Choopa, LLC     # RIPE    FR OVH                                      OVH SASDedicated servershttp   # RIPE    GB RSDEDI-LKMLFMND                          Dedicated Server Hosting       # RIPE    PS HBSAGAZA                                 Hadara Gaza BSA 2nd subnet   # RIPE    GB RSDEDI-FILOGAIK                          Dedicated Server Hosting     # RIPE    DE CONTABO                                  Contabo GmbH    # RIPE    NL HOSTKEY-NET                              HOSTKEY B.V.abuse-mailbox      # RIPE    NL HOSTKEY-NET                              HOSTKEY B.V.      # ARIN    US HSI-4                                    Hosting Solutions International, Inc.      # APNIC   CN CHINANETCENTER                           Wangsu Science & Technology Co.,Ltd.    # RIPE    FR IE-POOL-BUSINESS-HOSTING                 IP Pool for Iliad-Entreprises Business Hosting Customers    # RIPE    FR IE-POOL-BUSINESS-HOSTING                 IP Pool for Iliad-Entreprises Business Hosting Customers      # RIPE    FR IE-POOL-BUSINESS-HOSTING                 IP Pool for Iliad-Entreprises Business Hosting Customers  # ARIN    US DS-2-619                                 Zhou Pizhong       # RIPE    DE DE-INTERGENIA-20050301                   PlusServer AG

As you will see the same old hosters appear again and again, if you ban one IP the just move it to another one in the same network.

Use a firewall to specifically deny/allow connections by networks, but better yet just don’t use port 5060 :wink:

It’s not perfect but it saves me a lot off “managent” effort.

It is probably good advice (though not an absolute fix) to block entire foreign subnets if they have no reason to access your system.

Good idea, but unfortunately not very practical, all the non us zones for example number more than 100000 , iptables on most hardware would choke on loading way before that.

Perhaps an audit first of who has recently been interested in your machine:-

grep -orE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' /var/log/*|tee  pass1


cat pass1|sort -nr |uniq -c |sort -nr > pass2

less pass2

Gives you an idea of “who’s doing what to whom”. You will likely recognize the top few line :wink:

 cat pass2 |cut -d ":" -f2|sort -rnu > pass3

will get you down to maybe a few hundreds of probing hosts

for i in $(cat pass3);do echo "This host $i is in ";ip2route $i;done |tee pass4

sends those hosts through the perl script I spoke of.

cat pass4|grep -e "^[1-9]"|sort -un > pass5

gives you lines to use in a CSF firewall.

less pass5

for completeness here is my ip2route again:-

if  ( not $ARGV[0]) { print "$0 should be called with an ipaddress\n";exit}; 
use Socket; 
my $sitename = $ARGV[0]; 
my $address = inet_ntoa(inet_aton($sitename)); 
use Net::Whois::IANA;
my $ip = $address;
my $iana = new Net::Whois::IANA;
my $array_ref = $iana->cidr();
my @route = @$array_ref;
my @parentroute =reverse sort {  substr(($a),index(($a),'/')+1) cmp substr(($b),index(($b),'/')+1)   }  @route;
my $whois = $iana->source();
$whois =~ s/#.*//;
if ( ($parentroute[0] ne $route[0]) && (substr($whois,0,4) eq "ARIN") )  {
printf "%-18.18s #%-18.18s # %-7.7s %s %-18.18s %-40.40s %s\n",$parentroute[0],$route[0],substr($whois,0,7),uc(substr($iana->country(),0,2)),$iana->netname(),$iana->descr();
printf "%-18.18s # %-7.7s %s %-40.40s %s\n",$route[0],substr($whois,0,7),uc(substr($iana->country(),0,2)),$iana->netname(),$iana->descr();

(I will also mention also that CSF can use ipset for banning a country if your distribution has ipset set up and working.

which ipset

but that seems a little draconian as most users in the world aren’t doing that, and many that are are actually running on cloud servers in your own country)

You can catch and block most attacks using the IPTables “string” module. See details of my technique here:

Sonicwalls have nice Geo-IP Blocking as a standard feature - it’s heaven to put an Asterisk behind it, turn it on, and watch the attacks drop down to a tenth of what they were - It’s amazing how many attacks I see from Palestine.

We use the string module approach as well but take it one step further and block everyone by default, only ‘whitelisting’ certain IP addresses (i.e. the office IP or the SIP provider IP).


We do the same thing - block everyone and only whitelist the needed IP addresses. It works great. We also have a cron script that runs once an hour to make sure IPtalbes is running (in case we disabled it and forgot to turn it back on).

A couple of points:-

The string solution only covers the strings you know about, you are chasing the wind, if you look at the code of sip vicious (open source) that would be trivial to change, other more sophisticated scripts are being continually distributed. Fail2ban will catch much of that more sophisticated stuff than that if set up correctly. But you need to use it on all your other open services like postfix, ftp etc. and be equally effectively.

You DO actually need a firewall on your PBX, it needs to detect MITM attacks, port scanning, connection limiting and all the stuff the bad-guys use against you, simple allow/deny rules in iptables generally won’t cut it.

The precursor to many attacks are IP addresses scrounged by drive-by attempts at your web server, (check your error logs for things like “phpmyadmin”, “recordings” and anything below “admin” ) watch for attempts at your new, but now well known open web ports like 8*, it exposes a fingerprint of certain IP’s that the scanners pass on to the attackers and generally they are not just script-kiddies, they are paying for those servers.

Blocking by GEO-IP no longer works, the Palestinians and the Chinese have moved to the likes of DataShack and Amazon ( Iliad and OVH for you Euros) . The OP’s list was a hefty minority inside his own country.

Good idea to “only allow IP addresses” but in reality many external users will be DHCP’d by their provider, Cox or AT&T or whatever, you need to allow whole networks and many you will see are limited to local areas or next month they might not work, see my ip2route for that or do it manually with whois. Perhaps

for i in `rasterisk -x 'sip show peers'| grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'|sort -nu`;do ip2route $i;done|sort -nu >> /etc/csf/csf.allow

Before it appears, NO I don’t think VPN’s are a reasonable solution, you would have to explain to all your customers how to set up a VPN client on their Verizon FIOS or iPhone or Sonicwall or ATA , it won’t happen.

But as far as reducing SIP attacks, and in general the most effective one, but
most folks miss is, “JUST DON’T BIND TO 50NN for SIP connections”, they are guaranteed to be hit in minutes. There are more than 60000 safer choices.