• matrix1233 joined the channel
      • matrix1233 has quit
      • pchero has quit
      • infobot joined the channel
      • newtonr has quit
      • dunderproto
        /join #xmpp
      • matrix1233 joined the channel
      • agent_white joined the channel
      • matrix1233 has quit
      • vince1 has quit
      • fstd_ joined the channel
      • fstd has quit
      • fstd_ is now known as fstd
      • dunderproto has quit
      • Oatmeal joined the channel
      • xochilpili joined the channel
      • xochilpili
        hi all
      • Nate15329 joined the channel
      • i have many of this "attacks" or "i dont know what means" like this: https://pastebin.com/Siyx05RJ
      • how can i stop them?
      • when i type : sip show channels i got many ip address and user/ANR i dont recognize with Peer <guest>
      • tuxd00d
        xochilpili: In sip.conf, what is allowguest set to?
      • xochilpili
        tuxd00d, thanks for answer i have allowguest=no
      • i also have : alwaysauthreject=yes
      • tuxd00d
        I have to run, but check your PCAP or use something like sngrep to see what’s going on.
      • xochilpili
        sngrep ?
      • matrix1233 joined the channel
      • matrix1233 has quit
      • Samael28 joined the channel
      • tuxd00d, i have installed sngrep and im capturing, now, i see alot of "attackers" making several "INVITES" and "REGISTER" but i dont realize how to stop this
      • agent_white
        xochilpili: You need to limit your traffic to be between your trunk<->pbx<->UAs exclusively. They're not using your trunk to send those INVITES.
      • xochilpili
        agent_white, thanks for answer, i dont fully understand what u mean, i think that u are talking about deny= and permit= options in sip.conf?
      • genpaku joined the channel
      • agent_white
        xochilpili: Yep! Those are well worth looking into. Though, the traffic is passing through your network, down to your PBX. Maybe look into separating voip traffic in a VLAN?
      • Lots of things you can do to avoid. https://github.com/EnableSecurity/sipvicious - you can use this to test how far the traffic is able to egress into your network.
      • (far from uncommon to see some traffic with a sipvicious tag on it)
      • xochilpili
        agent_white, but im connecting from outside, i mean, my personal extension is at home, and the server is in the cloud, i have no static ip address, so how can i use permit= if i have no a static ip address?
      • igcewieling
        packet captures would show packets before iptables filters them
      • xochilpili: use a vpn, change the permit line when your IP changes, use port knocking, use fail2ban, get a static IP, use iptables to filter out some of the common bots.
      • What *I* do, is to allow guest and autocreate peers, send them to a jail context and play tt-monkeys. The bots / scripts seems to stop trying when it "succeeds".
      • xochilpili
        igcewieling, i have installed fail2ban and sometimes it blocks my server's ip address
      • igcewieling
        xochilpili: there is no good answer to a non-static IP address.
      • now you have a handful of other things to look into as well.
      • xochilpili
        igcewieling, i mean in the server's fail2ban config, sometimes fail2ban blocks server's ip address and i cant login
      • igcewieling
        You should already be using a VPN to get access to your internal network, you could run voice over that
      • xochilpili: yes, that is one of the drawbacks to using fail2ban.
      • xochilpili
        igcewieling, i also have downloading sipvicious then i have typed : ./svcrack.py myserver's ipaddr -u 100 and then in asterisk-cli i have a lot of REGISTER <guest>
      • i dont get it, how to protect from this?
      • i have done almost everything in this: http://blogs.digium.com/2009/03/28/sip-security/
      • with "almost everything" im not using users.conf because i only have my extension
      • Nate15329 has left the channel
      • igcewieling
        there is no one perfect way. There are only layers of not perfect ways. I'm not going to help with iptables, but here is a part of my iptables rules: https://pastebin.com/zQRhHa37
      • ~users.conf
      • infobot
        [~users.conf] users.conf is a flaming pile of sh1t that takes the fine control of several perfectly usable asterisk config files and reduces them to the lowest common denominator and makes your system behave like a "toaster grade" PBX system.
      • igcewieling
        Anything which tells you to use users.conf should be considered wrong.
      • sorry, that is a bad paste. standby
      • dakudos has quit
      • Here is the correct one: https://pastebin.com/V5Uks0Vp
      • Samael28 joined the channel
      • xochilpili
        igcewieling, as i can see you have every rule in iptables to block all those, but if there's a new one then u add it into your iptables?
      • are u using fail2ban also?
      • what u mean with this: "Anything which tells you to use users.conf should be considered wrong". English issues: i think you mean, do not use users.conf ?
      • igcewieling
        I don't use fail2ban. When I see a new one, I add it. If you don't want to use iptables or fail2ban then set up a vpn and stop fighting with the problem.
      • xochilpili
        igcewieling, may i share my iptables to you, in order to have some feedback from u?
      • igcewieling
        You missed the part where I said " I'm not going to help with iptables." There is a world wide web of information about iptables.
      • xochilpili
        igcewieling, yes, sorry, i omitted that part :D
      • igcewieling, can i ask, in asterisk do you have tcp or udp also are u using 5060 or 5061 ??
      • igcewieling
        Almost all peers configured on my main call servers have static IP addresses. The only ones which don't are support staff.
      • xochilpili: I don't block the requests. I accept them and put them in a context which plays annoying sounds. most stop trying soon after they get that.
      • *HOWEVER* I've been using Asterisk since early 2006 and generally know what I'm doing with the configurations I deal with.
      • A novice should *NEVER* enable allowguest or autocreatepeer
      • xochilpili
        igcewieling, i have allowguest=no
      • in sip.conf
      • igcewieling
        you should have that and autocreatepeer=no
      • allowguest=no is the most important to have.
      • xochilpili
        igcewieling, oks added: autocreatepeer=no
      • igcewieling, but i need to ask, in iptables (sorry about it), when do you declare 'SIP-SCAN' ?
      • agent_white
        xochilpili: "friend" may be something to look at if you use the trunk for both inbound and outbound.
      • Also... "insecure=" and "context=".
      • dtfmdode=rfc2833 to save all of us the hassle of inbound dtmf shit
      • :P
      • s/inbound/inband/
      • "host=", "fromdomain=", "bindport=", "bindaddr=".
      • agent_white shrugs
      • xochilpili
        agent_white, i have insecure=invite and context=from-local then i have a [default] in extensions.conf with only _X.,1,Hangup(21) and s,1,Hangup(21)
      • agent_white
        Should be enough if you're looking to solve your issue with asterisk config.
      • xochilpili
        agent_white, wait please, baby steps :D
      • can i share a part of my sip.conf in order to have some feedback?
      • agent_white
        :P Basically my point is that you're still allowing traffic to traverse all the way to your pbx, leaving your pbx to authenticate the traffic.
      • jkroon joined the channel
      • It shouldn't reach that far in the first place. These other options generally are just good safey measure on top of it all.
      • xochilpili: Go for it! I'm Just mosying in though to say my 2cents before I wander off again.
      • But that definitely is the best start :)
      • xochilpili
        agent_white, https://pastebin.com/6ecZsT5F << a part of my sip.conf
      • agent_white
        xochilpili: Your externip is set to (I'm assuming since you blanked it out) your WAN IP, and your bindip is wildcard while your bindport is 5060; that means, it would be fair to say that any and all SIP traffic bound for port 5060 of your WAN IP is guaranteed to reach your PBX)
      • _almost_ guaranteed. Just saying as this config is setup to allow this exact thing to happen.
      • Stop the traffic before it reaches the PBX. $10 says if you had no PBX but SIP phones on your network, you would be getting lots of ghost calls from places 'appearing to be a local extension'.
      • :P
      • xochilpili
        yes i have receive a lot of ghost calls, but i dont realize exactly what are u suggesting to do in order to stop this
      • >>Stop the traffic before it reaches the PBX << iptables ??
      • agent_white
      • matrix1233 joined the channel
      • xochilpili: Also, if you kinda want super-duper definitive answers to the quesion "is my trunk registered", set qualify to yes.
      • matrix1233 has quit
      • At least, if you maybe hook responses to the keepalive (OPTIONS) somewhere in your monitoring or whatnot.
      • Good for folks who like to see 'heartbeats' to ensure things are alive.
      • xochilpili
        agent_white, im lost :D what you mean with : " if you maybe hook responses to the keepalive (OPTIONS)" somewhere?
      • agent_white, im trying with this iptables rules: https://pastebin.com/a8rAAey9 but i cant login from my zoiper at my celphone
      • the server never respond
      • igcewieling, still here=
      • ?
      • Samael28 joined the channel
      • agent_white has quit
      • vince1 joined the channel
      • dustinm has quit
      • dustinm joined the channel
      • dobson joined the channel
      • u0m3__ joined the channel
      • matrix1233 joined the channel
      • ShuttleDuck has quit
      • ShuttleDuck joined the channel
      • matrix1233 has quit
      • almostworking joined the channel
      • adeel has quit
      • igcewieling, i have use a part of your iptables, but sipvicious is not working
      • mub has quit
      • AndyCap has quit
      • AndyCap joined the channel
      • mub joined the channel
      • gerhard7 joined the channel
      • [TK]D-Fender has quit
      • xochilpili has quit
      • fblackburn has quit
      • igcewieling has quit
      • bof22 joined the channel
      • tzafrir has quit
      • Samael28 joined the channel
      • avb has quit