Asterisk Brute Force Prevention
From Etel
Contents |
[edit]
Title
Asterisk Brute Force Prevention Tool
[edit]
Problem
Dial-through fraud can allow criminals to brute force a PBX and reroute calls to anywhere in the world. Because many Asterisk PBX's allow remote connections with the company picking up the bill, fraudsters have been known to leverage an Asterisk PBX for outgoing calls at the company's expense.
[edit]
Solution
What I've created is a simple and effective script to minimize this. What it does is, looks at the current messages in Asterisk and finds username authorization errors. If the count for one particular extension is more than ten - meaning if a user has failed to authenticate more than 10 times, this user is then firewalled using IPTables.
# Asterip
# J. Oquendo
# echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
# Asterisk Intrusion Prevention Tool safeguards against
# attackers attempting to brute force an account on your
# PBX. Be sure to change the XXX's to your machine's
# IP address. Due to configurations on different servers
# it would have been difficult to parse out the IP ...
# e.g. BSD output:
#
#em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
# options=b<RXCSUM,TXCSUM,VLAN_MTU>
# inet6 fe80::20e:cff:fe3c:87c3%em0 prefixlen 64 scopeid 0x1
# inet6 2001:618:400:deee:: prefixlen 64
# inet xxx.xxx.xxx.xxx netmask 0xfffffff8 broadcast xxx.xxx.xxx.xxx
#
# Linux output for me works with:
# ifconfig eth0|awk -F : '/inet/&&!/inet6/{print $2}'|awk '{print $1}'
# but doesn't guarantee it would work with someone else's machine
violator=`tail -n 5000 /var/log/asterisk/messages|awk '/Username\/auth/{print $7,$10}'|grep "\."|sed 's/'\''//g'|sort -ru|awk '{print $2}'`
count=`tail -n 5000 /var/log/asterisk/messages|grep -c $violator|sed -n '1p'`
if [ $count > 10 ]
then
echo "iptables -A INPUT -s $violator -i eth0 -d XXX.XXX.XXX.XXX -p IP -j REJECT"|s
fi
[edit]
Discussion
[edit]
See Also:
http://technology.guardian.co.uk/weekly/story/0,,2065092,00.html
[edit]
