[arm-allstar] SIP Attack in logs
Doug Crompton
wa3dsp at gmail.com
Thu Mar 26 17:42:05 EDT 2020
If you don't use sip, and the majority don't, just turn it off in
modules.conf. noload=chan_sip.so
If you do use it and it is associated with a specific remote IP address
then firewall that IP address. Below is an example I use on my Asterisk
PBX. My local IP address range is 192.168.0.x - change to yours. This shows
two remote sites allowed to access me via sip. The somedomain.com is sip to
my vacation home and voip.ms is my provider. This script runs once a day
via cron but could run more often if desire. It depends how often IP's
change. In my case it is rare.
*73 Doug*
*WA3DSP*
*http://www.crompton.com/hamradio <http://www.crompton.com/hamradio>*
#!/bin/bash
IPT=/sbin/iptables
### Flush any existing rules, preparing to reload...
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F #ignore error here if mangle module isn't loaded
$IPT -X #deletes every non-builtin chain in the table
$IPT -A INPUT -p udp -s 192.168.0.0/16 --dport 5060 -j ACCEPT
IP=$(getent hosts somedomain.com | awk '{ print $1 }')
if [ "$IP" != "" ] ; then
$IPT -A INPUT -p udp -s "$IP" --dport 5060 -j ACCEPT
fi
IP=$(getent hosts washington.voip.ms | awk '{ print $1 }')
if [ "$IP" != "" ] ; then
$IPT -A INPUT -p udp -s "$IP" --dport 5060 -j ACCEPT
fi
$IPT -A INPUT -p udp --dport 5060 -j DROP
On Thu, Mar 26, 2020 at 4:08 PM "Mike Sullivan via ARM-allstar" <
arm-allstar at hamvoip.org> wrote:
> If you guys want a laugh during these troubling times.. I just checked my
> Allstar log.. early on the 24th (around 8am) an IP from Estonia seemed to
> try to connect to the SIP module, I assume some sort of brute force attack.
> Numerous "registration from x failed" messages and "call from x failed due
> to extension not found" messages. Not sure if I should be worried..
> probably not, because they couldn't do anything.
>
> Mike
> _______________________________________________
>
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
>
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>
More information about the ARM-allstar
mailing list