Error
  • The template for this display is not available. Please contact a Site administrator.

Asterisk Server under Attack (Hacked)

 

I have a client who is using Asterisk.

30 or so extension

Open to the public, yes on port 5060

Passwords for ALL extensions is a minimum of 32 characters, including UPPER lower case, punctuation, and symbols.

From the graph below you can see that the CPU spiked for about 4 hours. this was due to Asterisk processing thousands of registration attempts per minutes from this hacker.

The next graph is the throughput on the public network card.  The first thing you see is normal traffic for thursday, this is how it normally looks.  Next you see an anomaly starting Friday morning.  This lasted about 4-5 hours.

 

While our server was never in danger of being hacked as the passwords for the extensions are so very long it does cause issues with latency, and choppiness in audio. 

As per my usual routine I check on the servers mid day and noticed this traffic.  I then logged into the server and found as expected, thousands upon thousands of registration attempts.  This causes both high CPU and high throughput because Asterisk has to evaluate and reject each registration attempt.

So, I knew what was going on but just in case I thought I would look at the asterisk logs and low and behold this is what I found, just thousands and thousands of lines of it...

 


[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found

[2011-05-06 11:59:38] NOTICE[2536] chan_sip.c: Registration from '"3518" <sip:This email address is being protected from spambots. You need JavaScript enabled to view it.>' failed for '50.23.164.82' - No matching peer found
 
So what did I do to fix it?   Well, I'm kinda of embarrassed because I originally installed fail2ban intrusion detection software on the server but had it pointing to the wrong log file.  Once I edited my jail.conf file and pointed it to the right log file I knew I had fixed the problem.
 

 

 

So I went back to the command prompt and restarted fail2ban...  within 2 seconds I saw the server send an email to me stating that the hackers IP had been blocked...

 

Gotta love Fail2Ban... Just remember to point it to the right log file and test, test, test before deployment!