While not operational (per-se) I wanted to post these questions... 1) Anyone have a reliable source for a) Canadian DID's 2) I've slapped together a creative honeypot for Asterisk if anyone else is seeing those pesky little scans... For 2) shoot me an off-list message, there is much that I won't publicly post for obvious reasons. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
On Tue, 4 Aug 2009, J. Oquendo wrote:
While not operational (per-se) I wanted to post these questions...
1) Anyone have a reliable source for a) Canadian DID's
Les.net is based in Canada. Small shop, but always responsive. Vitelity has Canada, but not huge coverage.
2) I've slapped together a creative honeypot for Asterisk if anyone else is seeing those pesky little scans...
I love sshguard. It's a misleading name to a powerful tool. I've been trying to determine an easy way to use sshguard (http://sshguard.sourceforge.net/) to scan Asterisk's verbose log and block those who scanneth thou on demand. I think the answer is socat (http://www.dest-unreach.org/socat/doc/socat.html), but I haven't put the time back into trying it again. My initial attempt was using sshguard to block web scans: tail -n0 -F httpd.log | sed -n -E 's/^(.+?) .+ 404 .+$/\1 404 access denied/p' | sshguard -a 100 -s 60 -p 1200 But there are too many pipes involved. socat is my next attempt. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
I've always been a bit slow on the draw with the whole "reflexively block an address" thing. It'd be just my luck to reflexively block one of my provider's addresses... David Hiers CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277 -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Peter Beckman Sent: Tuesday, August 04, 2009 12:17 PM To: J. Oquendo Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] DID's + Asterisk Security On Tue, 4 Aug 2009, J. Oquendo wrote:
While not operational (per-se) I wanted to post these questions...
1) Anyone have a reliable source for a) Canadian DID's
Les.net is based in Canada. Small shop, but always responsive. Vitelity has Canada, but not huge coverage.
2) I've slapped together a creative honeypot for Asterisk if anyone else is seeing those pesky little scans...
I love sshguard. It's a misleading name to a powerful tool. I've been trying to determine an easy way to use sshguard (http://sshguard.sourceforge.net/) to scan Asterisk's verbose log and block those who scanneth thou on demand. I think the answer is socat (http://www.dest-unreach.org/socat/doc/socat.html), but I haven't put the time back into trying it again. My initial attempt was using sshguard to block web scans: tail -n0 -F httpd.log | sed -n -E 's/^(.+?) .+ 404 .+$/\1 404 access denied/p' | sshguard -a 100 -s 60 -p 1200 But there are too many pipes involved. socat is my next attempt. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ --------------------------------------------------------------------------- _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
On Tue, 4 Aug 2009, Hiers, David wrote:
I've always been a bit slow on the draw with the whole "reflexively block an address" thing.
It'd be just my luck to reflexively block one of my provider's addresses...
SSHguard uses a whitelist to prevent this. Additionally, you can specify how many failed transactions occur in a period of time before you block, and how long it is blocked before it is unblocked (automagically). A legit but badly configured customer can DOS an Asterisk instance with AUTH or register requests, and in this case, blocking them to allow legit customers to connect actually does something good. You can block after 100+ attempts in 1 minute for example, or 100 over an hour. Your choice. The fact that sshguard can be used for multiple services is where I believe its power lies. If I can get socat working, sshguard can dynamically block HTTP server scans (more than 100 404's in 1 minute for example), block SIP AUTH scans, etc. --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
We are a small Canadian ITSP but we can probably provide you with the DIDs you need. You can contact me offlist and I'll send you our coverage. The name of the company is Ubity : http://www.ubity.com On Tue, Aug 4, 2009 at 3:17 PM, Peter Beckman<beckman at angryox.com> wrote:
On Tue, 4 Aug 2009, J. Oquendo wrote:
While not operational (per-se) I wanted to post these questions...
1) Anyone have a reliable source for a) Canadian DID's
?Les.net is based in Canada. ?Small shop, but always responsive. ?Vitelity has Canada, but not huge coverage.
2) I've slapped together a creative honeypot for Asterisk if anyone else is seeing those pesky little scans...
?I love sshguard. ?It's a misleading name to a powerful tool. ?I've been ?trying to determine an easy way to use sshguard ?(http://sshguard.sourceforge.net/) to scan Asterisk's verbose log and ?block those who scanneth thou on demand. ?I think the answer is socat ?(http://www.dest-unreach.org/socat/doc/socat.html), but I haven't put the ?time back into trying it again.
?My initial attempt was using sshguard to block web scans:
? ?tail -n0 -F httpd.log | sed -n -E 's/^(.+?) .+ 404 .+$/\1 404 access denied/p' | sshguard -a 100 -s 60 -p 1200
?But there are too many pipes involved. ?socat is my next attempt.
Beckman --------------------------------------------------------------------------- Peter Beckman ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Internet Guy beckman at angryox.com ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? http://www.angryox.com/ --------------------------------------------------------------------------- _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Peter Beckman wrote:
My initial attempt was using sshguard to block web scans:
tail -n0 -F httpd.log | sed -n -E 's/^(.+?) .+ 404 .+$/\1 404 access denied/p' | sshguard -a 100 -s 60 -p 1200
But there are too many pipes involved. socat is my next attempt.
I made a butchery for my own servers. Needs a little tweaking as * systems differ. Be advised, thresholds are different so if you're in a provider (mini Vonage) environment, if you don't modify this, you will find your customer support department answering calls on valid connections which were blocked. http://www.infiltrated.net/asterisk-ips.html I thought about re-writing it using a db, but because of DHCP, clients' mobility, would be a tough call. An optimal way to do something like this would be: W=Account_Name X=Amount_of_Connection_Attempts Y=Time Z=Block If [ $X >= 100 ] && [ $W >= 30 ] && [ $Y = 60 ] then iptables something fi Where, is someone attempts to connect say 100 times from 30 different accounts in under 60 seconds, block em. I thought about this and how I can streamline it, but if you're in the managed PBX environment, a hosted customer can have multiple registrations especially if say their connection flaked. Imagine a hosted customer going down, coming back up and getting caught in the error logs. The script if done incorrectly would auto-block them. If they're in a different timezone where no one can flush out the rules, they'd have to wait to get reconnected. I shot off a message to Mark Spencer at Digium (he's the Mark referenced in the document) about this and other stuff and we spoke briefly, but 1) Mark is always busy, I was doing this on my own accord for my own systems, so the incentive to make it an all out project was beyond my scope. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
On Wed, 5 Aug 2009, J. Oquendo wrote:
I made a butchery for my own servers.
Well written article, and comprehensive too. Well done! My problems with interpreted scripts to handle parsing of log files in the way your article describes are: * Scanning happens in chunks, a cron job for example. If for some reason your log file gets pretty big, maybe tail or grep takes a long enough time for you to have TWO versions of the script running, which could lead to some unexpected results. * Scanning happens in 5 minute granularity, and you may be screwed by the time the script gets around to running again. * The code is interpreted, not compiled, and thusly less efficient with greater overhead. * Grepping and Copying involves lots of IO. In a production environment, log files can get really big, making parsing, grepping and copying costly, especially every 5 minutes. There is a great benefit to on-the-fly log parsing and action with a compiled tool that uses minimal resources. For most people, all the tools are functionally the same -- block hosts that pass a certain threshold or set of rules. But when you get into production systems with a lot of customers and a lot of attacks, the interpreted script (PHP, Python, bash/sh/tcsh) simply doesn't scale as well as a compiled, native OS byte-code long-running daemon. I don't want to get into another language flame war, we all use what works for us during the time we need such things, and when it stops working for us, we change. There's 9 ways from Sunday to do the things we all have to do as VoIP folk, none of them are wrong, every choice has tradeoffs. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Peter Beckman wrote:
In a production environment, log files can get really big, making parsing, grepping and copying costly, especially every 5 minutes. There is a great benefit to on-the-fly log parsing and action with a compiled tool that uses minimal resources.
For most people, all the tools are functionally the same -- block hosts that pass a certain threshold or set of rules. But when you get into production systems with a lot of customers and a lot of attacks, the interpreted script (PHP, Python, bash/sh/tcsh) simply doesn't scale as well as a compiled, native OS byte-code long-running daemon.
I don't want to get into another language flame war, we all use what works for us during the time we need such things, and when it stops working for us, we change. There's 9 ways from Sunday to do the things we all have to do as VoIP folk, none of them are wrong, every choice has tradeoffs.
Agreed (IO calls, grep, tail, etc), things to keep in mind though: 1) it was something new for me 2) I needed the portability - for example, if (for some strange reason) I didn't have PERL on the fly, I would have had to install it. Shell scripting absolved that. I thought about writing something in C, then in ruby (last resort would have been PERL since I'm not that much of a fan). 3) My system is not yours! ... If someone else wanted something on the fly, there it is(was). Able to give someone at least a framework to go on. As for the large log files (drum roll - you will want to kick me)... I can easily parse it out from a central syslog server, whip up a script to correlate all logs, then reshoot them off to servers. The load would be taken off the PBX itself with a centralized source parsing out anomalous entries. SSHKeys + shell scripts + coffee = tons of insanity + security fun/crash testing. I may go back and re-do portions when I can however, I left the IPS alone to fiddle with those annoying brute force kiddiots for now. Kind of like a personal pet project. Think "Deception Toolkit meets + Asterisk" -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
On 8/4/09 3:10 PM, "J. Oquendo" <sil at infiltrated.net> wrote:
While not operational (per-se) I wanted to post these questions...
1) Anyone have a reliable source for a) Canadian DID's
Phonetime Networks (phonetime.com) is a good source for DID's. They're a slightly larger provider that has coverage and adequate capacity for more than just small business use. They're based in Canada.
2) I've slapped together a creative honeypot for Asterisk if anyone else is seeing those pesky little scans...
For 2) shoot me an off-list message, there is much that I won't publicly post for obvious reasons.
I sure don't see a problem with people using this list to find reliable providers... While it is more of a "build" than an "operate" question, I think that we're all pretty much building something all the time :) David Hiers CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277 -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of J. Oquendo Sent: Tuesday, August 04, 2009 12:10 PM To: voiceops at voiceops.org Subject: [VoiceOps] DID's + Asterisk Security While not operational (per-se) I wanted to post these questions... 1) Anyone have a reliable source for a) Canadian DID's 2) I've slapped together a creative honeypot for Asterisk if anyone else is seeing those pesky little scans... For 2) shoot me an off-list message, there is much that I won't publicly post for obvious reasons. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
participants (5)
-
a.reversat@gmail.com -
beckman@angryox.com -
David_Hiers@adp.com -
kleclaire@mywdt.com -
sil@infiltrated.net