Attention! hackers attack! please help

n2a1ce

1. Brekeke Product Name and version: 2.4.7.0

2. Java version: 6. 22

3. OS type and the version: ubuntu 10.04

4. UA (phone), gateway or other hardware/software involved:
audiocodes mp118, sip-phones

5. Select your network pattern from http://www.brekeke-sip.com/bbs/network/networkpatterns.html :

6. Your problem:HELP! on my PBX were registered users (hackers), although theirs accounts were not registered on the PBX. how can I avoid this next time.

n2a1ce · Posted: Thu Feb 24, 2011 5:39 am Post subject:

Haddas · Brekeke Guru Joined: 17 Jan 2008 Posts: 170

http://wiki.brekeke.com/wiki/How-to-Protect-SIP-system-from-SIP-Attack
http://wiki.brekeke.com/wiki/Avoid-attacks
http://wiki.brekeke.com/wiki/Security

Haddas · Brekeke Guru Joined: 17 Jan 2008 Posts: 170

From your screen-shots, an attacker is using the tool called "friendly-scanner".

Enable the REGISTER/INVITE authentication immediately.

Also add the following DialPlan rule.

Matching Patterns

User-Agent = friendly-scanner|sundayddr

Deploy Patterns

$response = 603

rachel · Posted: Thu Mar 31, 2011 12:04 pm Post subject:

Hi,
I am researching on this security issue and see that sipvicious states that the user agent is now "Asterisk PBX" instead of "friendly-scanner". When I look into my log, I see both of these names in there. Should I use the same method to block "Asterisk PBX" as well?
Also, Could you please show me how to change the admin user name?

I follow the instruction in the Section 8 Security to make this dial plan but it's not working. Could you please let me know why?

$request=^INVITE
$port=(.+)
$addr=(.+)
$registeredaddr(From)=!%1:%2

$action=403

Thank you,

taitan · Brekeke Master Guru Joined: 15 Mar 2008 Posts: 237

Use "$registeredsender".
http://wiki.brekeke.com/wiki/Reject-non-registered-callers-call