asterisk2billing.org http://forum.asterisk2billing.org/ |
|
fraud with SIP , a sophisticated hack to make free call. http://forum.asterisk2billing.org/viewtopic.php?f=22&t=7785 |
Page 2 of 3 |
Author: | adadekd [ Sun Sep 12, 2010 9:17 pm ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
Doesnt any one use fail2ban anymore? I use it to block ssh and sip failures. The program will email you the network and the abuse contact email the attack is coming from I used to get one brute force attach every 6 months now i get about 5 a week. I think hackers are registering with a2billing to get the sip gateway ip then trying the brute force attack. |
Author: | cerien [ Mon Sep 13, 2010 12:53 am ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
- install fail2ban - have customize iptables filters - buy a sip firewall googling this will point you to the right directions.... remember that reading the log is the foundation of system security j. |
Author: | cerien [ Mon Sep 13, 2010 12:55 am ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
adadekd wrote: Doesnt any one use fail2ban anymore? I use it to block ssh and sip failures. The program will email you the network and the abuse contact email the attack is coming from I used to get one brute force attach every 6 months now i get about 5 a week. I think hackers are registering with a2billing to get the sip gateway ip then trying the brute force attack. f2b will do a bit more... it will automatically ban the ip generating more than x error messages. it needs to be correctly configured, and each time you see something strange in the log, you need to update the filters so it captures this as well for f2b to run efficiently, you need to have gamin/fam installed, and rotate your logs regularily |
Author: | jroper [ Mon Sep 13, 2010 9:21 am ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
Hi On our commercial installs, we use OSSEC to block brute force attacks which is pretty effective. It is similar to Fail2Ban However, I suspect your fraud is different from the ones above in this thread. I think yours is a password crack, whereas the others are from a registered customer who is using a transfer to bypass A2Billing, which can be stopped by including "i" in the dial command parameter. The difference is with the former, is that all the calls show a very small duration, but you still get charged by the carrier. I suspect that your best course of action is to install OSSEC/Fail2ban, and change your secret. Joe |
Author: | Avestan [ Tue Sep 14, 2010 12:36 pm ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
Hello everyone, I am starting to get the feeling that I am getting into the button of this. I was puzzled how they would distinguish between a valid and invalid username! It appears that Asterisk SIP Responses Expose Valid Usernames in some versions. I think the following link shade some light into this question: http://www.securiteam.com/unixfocus/5FP011PQUQ.html and I am running Asterisk 1.4.23 on the testbox. I think once they know a Valid User name, the hack is going to be just a matter of time running a loop to check for the password and it is just a matter of time to crack it. The button line is that we have to block brute force attacks and I am going to into some of the solution suggested here. Thanks very much for all your inputs Avestan |
Author: | jroper [ Tue Sep 14, 2010 12:55 pm ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
Hi Ossec or Fail2Ban is the answer, personally, I prefer OSSEC. It's an easy install from source with its own install script. You could also use the permit and deny directives to restrict access from certain IP addresses as a short term measure. Joe |
Author: | Avestan [ Wed Sep 15, 2010 7:31 pm ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
Hello jroper, I agree with you that the fraud calls was made in a different way than the reason this thread was originally opened. But I thought they both can be security measures which needs to be taken by the Asterisk/A2Billing users. Could you also shade some light on ""including 'i' in the dial command parameter, when you said: Quote: ..., whereas the others are from a registered customer who is using a transfer to bypass A2Billing, which can be stopped by including "i" in the dial command parameter. If I am not mistaken you are referring to: http://www.voip-info.org/wiki/view/Asterisk+i+extension but I don't see how it could stop the fraud call on " jimmy888" system. Thanks, Avestan |
Author: | jroper [ Wed Sep 15, 2010 7:53 pm ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
You are mistaken http://www.voip-info.org/wiki/view/Asterisk+cmd+Dial |
Author: | cerien [ Wed Sep 15, 2010 9:02 pm ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
jroper wrote: ... from a registered customer who is using a transfer to bypass A2Billing, which can be stopped by including "i" in the dial command parameter. Joe, could you elaborate on this ? is it a situation where a customer establishes a call to a free destination, through A2B, and then issue a transfer to another destination, which is not then trapped and controlled by a2B ? the i your indicating needs to be added in the agi-conf command ? thanks for the feedback, J. |
Author: | hellbound [ Sun Feb 27, 2011 9:50 am ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
we are getting attacks everyday, u need to install fail2ban on asterisk to block them. cheers |
Author: | ryan_mu [ Sun Jun 12, 2011 10:01 am ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
xstrafer wrote: same problem here. a user had made a lots of calls to somali and by a2billing reports the calls are of 00:00 or 00:01 seconds. But the sip provider showed the same calls with 1-25-15 minutes duration. is there a workaround with this problem? Quote: i know that system, the only solution for this is not allow simultanius calls for new customers. all users on system are with individual access, no simultaneous calls sallowed. Hi all, I have same problem. A user as hacker, he has made some calls, but In log A2B reports calls are 00:00 or 00:01 seconds. But my whole sale voip provider show calls : 10-20 minutes. In my system, all user are individual access. Please check this issue. Thank in advance for all helps! Ryan. |
Author: | hellbound [ Sun Jun 12, 2011 10:04 am ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
you need to block for the prefixes they make these calls to a dummy trunk, here is what I have discovered so far, please paste your call records and perhaps we can complete a better black list. Regards Code: ascension 247
austria - special services 43820 austria - special services 43810 austria - special services 43780 austria - special services 43740 austria - special services 43730 austria - special services 43720 austria - special services 43711 bulgaria - mobile maxtel 35999 dr of congo - mobile others 24396 dr of congo - mobile others 24395 dr of congo - mobile others 24394 dr of congo - mobile others 24393 dr of congo - mobile others 24392 dr of congo - mobile others 24391 dr of congo - mobile others 24390 dr of congo - mobile others 24389 dr of congo - mobile others 24387 dr of congo - mobile others 24386 dr of congo - mobile others 24385 dr of congo - mobile others 24384 dr of congo - mobile others 24378 dr of congo - mobile others 24373 dr of congo - special services 24343 dr of congo - special services 24342 dummy 2 dummy 7 dummy 1 dummy 3 dummy 4 dummy 6 dummy 5 dummy 7 dummy 8 dummy 8 dummy 9 estonia - special services 37270 falklands 500 inmarsat aero snac 8705 inmarsat b (snac) except pacific 87038 inmarsat b (snac) except pacific 87037 inmarsat b (snac) except pacific 87036 inmarsat b (snac) except pacific 87035 inmarsat b (snac) except pacific 87034 inmarsat b (snac) except pacific 87033 inmarsat b (snac) except pacific 87032 inmarsat b (snac) except pacific 87031 inmarsat b (snac) except pacific 87030 inmarsat bgan hsd snac 87078 inmarsat bgan snac 87077 inmarsat hsd snac except pacific 87039 inmarsat m (snac) except pacific 87069 inmarsat m (snac) except pacific 87068 inmarsat m (snac) except pacific 87067 inmarsat m (snac) except pacific 87066 inmarsat m (snac) except pacific 87065 inmarsat m (snac) except pacific 87064 inmarsat m (snac) except pacific 87063 inmarsat m (snac) except pacific 87062 inmarsat m (snac) except pacific 87061 inmarsat m4 snac 87060 inmarsat mini-m (snac) except pacific 87076 italy - special services 398 italy - special services 390 ivory coast - special services 22590409 ivory coast - special services 2252170 latvia - fixed 3719 latvia - mobility services 371810 latvia - mobility services 37168504 latvia - mobility services 37165159 latvia - mobility services 37165158 latvia - mobility services 37165153 latvia - mobility services 3712900 liechtenstein - fixed 423 liechtenstein - special services 42387 lithuania - special services 370910 romania - special services rodasy 40900010 romania - special services rodasy 40906010 sao tome and principe - others 2392 sierra leone - fixed 232 sierra leone - mobile 23225 sierra leone - mobile 23230 sierra leone - mobile 23233 sierra leone - mobile 23244 sierra leone - mobile 23255 sierra leone - mobile 23256 sierra leone - mobile 23276 sierra leone - mobile 23277 sierra leone - mobile 23278 sierra leone - mobile 23288 slovenia - mobile ipko 386430 slovenia - mobile ipko 386431 slovenia - mobile ipko 386432 slovenia - mobile ipko 386433 slovenia - mobile ipko 386434 slovenia - mobile ipko 386435 slovenia - mobile ipko 386437 slovenia - mobile ipko 386438 slovenia - mobile ipko 386439 slovenia - mobile ipko 38649 solomon islands - fixed 677 solomon islands - mobile 67774 solomon islands - mobile 677750 somalia - fixed hormuud 25243 somalia - mobility services 252609 spain - special services 3451 st helena 290 switzerland - mobile others 4174 switzerland - mobile others 417698 switzerland - mobile others 417699 switzerland - mobile others 41777 switzerland - mobile others 4179977 switzerland - mobile others 4179978 switzerland - mobile others 4179979 switzerland - mobile others 418607698 switzerland - mobile others 418607699 switzerland - mobile others 41860777 switzerland - mobile others 4186079977 switzerland - mobile others 4186079978 switzerland - mobile others 4186079979 zimbabwe - mobile econet 26391 |
Author: | ryan_mu [ Sun Jun 12, 2011 2:23 pm ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
hellbound wrote: you need to block for the prefixes they make these calls to a dummy trunk, here is what I have discovered so far, please paste your call records and perhaps we can complete a better black list. Regards Thank your for your reply, I have a small question. How to block for these prefixes in rate card A2Billing ? Because I add rate for Myanmar with prefix : 95xxxxxxx .So all calls to Myanmar can pass through A2Billing. In my case, these numbers that they make these calls to a dummy trunk are : Code: Myanmar - 9552580657 Myanmar - 9552580694 Myanmar - 9552580658 Myanmar - 9552580656 Italy - 393276874424 Thank in advance for all helps! Best regards, Ryan. |
Author: | hellbound [ Sun Jun 12, 2011 2:35 pm ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
ryan_mu wrote: hellbound wrote: you need to block for the prefixes they make these calls to a dummy trunk, here is what I have discovered so far, please paste your call records and perhaps we can complete a better black list. Regards Thank your for your reply, I have a small question. How to block for these prefixes in rate card A2Billing ? Because I add rate for Myanmar with prefix : 95xxxxxxx .So all calls to Myanmar can pass through A2Billing. In my case, these numbers that they make these calls to a dummy trunk are : Code: Myanmar - 9552580657 Myanmar - 9552580694 Myanmar - 9552580658 Myanmar - 9552580656 Italy - 393276874424 Thank in advance for all helps! Best regards, Ryan. 1. create a dummy trunk with a dummy ip without failover 2. add these prefixes to that. but yours is a little odd to crack, most of the attack to my servers were into none existing providers or number that somehow a backbone provider would benefit in your case according https://www.numberingplans.com/?page=pl ... ent_page=9 the number 95-52-58XXXX falls in no city the nearest valid city is 95-52-50XXXX and 95-52-58XXXX it's a little difficut job to crack but we need the full list of numbering plan from https://www.numberingplans.com/?page=pl ... ent_page=9 to create a list of world's valid prefixes and take out everything else. Cheers |
Author: | ryan_mu [ Sun Jun 12, 2011 3:48 pm ] |
Post subject: | Re: fraud with SIP , a sophisticated hack to make free call. |
hellbound wrote: 1. create a dummy trunk with a dummy ip without failover 2. add these prefixes to that. Thank you for your reply, I can create a dummy trunk but IP without failover. So it is difficult to have a dummy IP without fail-over. Can you suggest me an example to have a dummy IP without fail-over ? Thank in advance for all helps! Best regards, Ryan. |
Page 2 of 3 | All times are UTC |
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |