Asterisk protection or Cuban epidemic
Recently, a big wave of Asterisk hacks has begun, followed by traffic to the cube through them.
Since a minute of a call to a cube costs an average of $ 1 per minute, this can lead to sad consequences (for 17 hours on one of the trunks, the balance was lowered to -8000 $).
The scheme works like this:
If you buy access to such a system and make a call, you can understand by the delay before the dial tone that a huge number of Asterisk servers that have been hacked are involved in this scheme.
At selection of peers the method implemented in Sipvicious is used . For scanning, peers are picked and Asterisk response is analyzed. For example:
To do this, you must include the alwaysauthreject directive in sip.conf, which, for any authorization errors, responds to 401 Unauthorized.
After that, the same server when trying to scan will respond to 401 and the utility will generate an error:
If your subscribers are not going to call a cube, then it should be closed in extensions.conf
For example
Of course, you can just do Hangup right away, but this action will require disabling our server from the automatic system manually, which is good news.
PS To check that you have correctly registered the rejection of calls to a cube, you can try to call the number +53997970. This is a military base and there is always an answering machine.
Since a minute of a call to a cube costs an average of $ 1 per minute, this can lead to sad consequences (for 17 hours on one of the trunks, the balance was lowered to -8000 $).
The scheme works like this:
- Is searched on the Asterisk server network
- A list of his peers is selected.
- Passwords to peers are selected
- The account is placed in the system sorting trunks when calling.
- Many Cubans are calling through this system.
If you buy access to such a system and make a call, you can understand by the delay before the dial tone that a huge number of Asterisk servers that have been hacked are involved in this scheme.
Selection of peers
At selection of peers the method implemented in Sipvicious is used . For scanning, peers are picked and Asterisk response is analyzed. For example:
./svwar.py sip.somewhere
| Extension | Authentication |
-------------------------------
| 607 | reqauth |
| 606 | reqauth |
| 601 | reqauth |
| 600 | reqauth |
| 300 | reqauth |
| 900 | reqauth |
| 100 | reqauth |
./svwar.py sip.somewhere
| Extension | Authentication |
-------------------------------
| 607 | reqauth |
| 606 | reqauth |
| 601 | reqauth |
| 600 | reqauth |
| 300 | reqauth |
| 900 | reqauth |
| 100 | reqauth |
To do this, you must include the alwaysauthreject directive in sip.conf, which, for any authorization errors, responds to 401 Unauthorized.
After that, the same server when trying to scan will respond to 401 and the utility will generate an error:
./svwar.py sip.somewhere
ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan.
WARNING:root:found nothing
Cuban problem
If your subscribers are not going to call a cube, then it should be closed in extensions.conf
For example
;cuba
exten => _53.,1,Answer()
exten => _53.,n,PlayBack(vm-goodbye)
exten => _53.,n,Hangup()
;somali
exten => _252.,1,Answer()
exten => _252.,n,PlayBack(vm-goodbye)
exten => _252.,n,Hangup()
;cuba
exten => _53.,1,Answer()
exten => _53.,n,PlayBack(vm-goodbye)
exten => _53.,n,Hangup()
;somali
exten => _252.,1,Answer()
exten => _252.,n,PlayBack(vm-goodbye)
exten => _252.,n,Hangup()
Of course, you can just do Hangup right away, but this action will require disabling our server from the automatic system manually, which is good news.
PS To check that you have correctly registered the rejection of calls to a cube, you can try to call the number +53997970. This is a military base and there is always an answering machine.
')
Source: https://habr.com/ru/post/103341/
All Articles