@ffossard,
Les seules ouvertures que je vois sont côté Freebox, puisque j'ai activé des redirections de plages de ports :
10000-20000 udp => IP fixe interne du serveur Asterisk
5060-5065 udp => IP fixe interne du serveur Asterisk
Mes mots de passes sont faibles car je pensais être en réseau fermé.
Je comprends qu'il suffit d'adresser en pointant mon adresse IP WAN. Le hacker "voit" donc et adresse Asterisk de l'extérieur. Brrrr !!!
@hb22,
Je dispose de tous les logs. En particulier /var/log/asterisk/messages = 216 MB !!!
@_AK_,
Effectivement, je ne crois plus à un pb de firmware, car j'ai regardé dans mon gigantesque historique de logs, et j'y ai découvert des milliers d'attaques différentes depuis fin 2008. Exemples.
1ère série
Code:
[Dec 2 08:53:40] NOTICE[8409] chan_sip.c: Registration from '"0"<sip:0@192.168.200.11>' failed for '81.66.127.231' - No matching peer found
[Dec 2 08:53:40] NOTICE[8409] chan_sip.c: Registration from '"1"<sip:1@192.168.200.11>' failed for '81.66.127.231' - No matching peer found
[Dec 2 08:53:40] NOTICE[8409] chan_sip.c: Registration from '"2"<sip:2@192.168.200.11>' failed for '81.66.127.231' - No matching peer found
[Dec 2 08:53:40] NOTICE[8409] chan_sip.c: Registration from '"3"<sip:3@192.168.200.11>' failed for '81.66.127.231' - No matching peer found
[Dec 2 08:53:40] NOTICE[8409] chan_sip.c: Registration from '"4"<sip:4@192.168.200.11>' failed for '81.66.127.231' - No matching peer found
[Dec 2 08:53:40] NOTICE[8409] chan_sip.c: Registration from '"5"<sip:5@192.168.200.11>' failed for '81.66.127.231' - No matching peer found
2ème série
Code:
[Aug 6 13:31:14] NOTICE[20977] chan_sip.c: Registration from '"foolish"<sip:foolish@78.240.176.140>' failed for '91.121.140.200' - No matching peer found
[Aug 6 13:31:14] NOTICE[20977] chan_sip.c: Registration from '"foolishl"<sip:foolishl@78.240.176.140>' failed for '91.121.140.200' - No matching peer found
[Aug 6 13:31:14] NOTICE[20977] chan_sip.c: Registration from '"foolishn"<sip:foolishn@78.240.176.140>' failed for '91.121.140.200' - No matching peer found
[Aug 6 13:31:14] NOTICE[20977] chan_sip.c: Registration from '"foolproo"<sip:foolproo@78.240.176.140>' failed for '91.121.140.200' - No matching peer found
[Aug 6 13:31:14] NOTICE[20977] chan_sip.c: Registration from '"fools"<sip:fools@78.240.176.140>' failed for '91.121.140.200' - No matching peer found
[Aug 6 13:31:14] NOTICE[20977] chan_sip.c: Registration from '"foonly"<sip:foonly@78.240.176.140>' failed for '91.121.140.200' - No matching peer found
[Aug 6 13:31:14] NOTICE[20977] chan_sip.c: Registration from '"foostar"<sip:foostar@78.240.176.140>' failed for '91.121.140.200' - No matching peer found
[Aug 6 13:31:14] NOTICE[20977] chan_sip.c: Registration from '"foot"<sip:foot@78.240.176.140>' failed for '91.121.140.200' - No matching peer found
[Aug 6 13:31:14] NOTICE[20977] chan_sip.c: Registration from '"footage"<sip:footage@78.240.176.140>' failed for '91.121.140.200' - No matching peer found
[Aug 6 13:31:14] NOTICE[20977] chan_sip.c: Registration from '"football"<sip:football@78.240.176.140>' failed for '91.121.140.200' - No matching peer found
3ème série (là il scanne mes postes internes)
Code:
[Nov 17 05:43:18] NOTICE[27510] chan_sip.c: Registration from '"101" <sip:101@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:18] NOTICE[27510] chan_sip.c: Registration from '"101" <sip:101@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:18] NOTICE[27510] chan_sip.c: Registration from '"101" <sip:101@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:18] NOTICE[27510] chan_sip.c: Registration from '"101" <sip:101@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:18] NOTICE[27510] chan_sip.c: Registration from '"101" <sip:101@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:18] NOTICE[27510] chan_sip.c: Registration from '"101" <sip:101@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:28] NOTICE[27510] chan_sip.c: Registration from '"202" <sip:202@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:28] NOTICE[27510] chan_sip.c: Registration from '"202" <sip:202@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:28] NOTICE[27510] chan_sip.c: Registration from '"202" <sip:202@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:28] NOTICE[27510] chan_sip.c: Registration from '"202" <sip:202@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:28] NOTICE[27510] chan_sip.c: Registration from '"202" <sip:202@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:28] NOTICE[27510] chan_sip.c: Registration from '"202" <sip:202@78.240.176.140>' failed for '188.165.211.195' - Wrong password
[Nov 17 05:43:28] NOTICE[27510] chan_sip.c: Registration from '"202" <sip:202@78.240.176.140>' failed for '188.165.211.195' - Wrong password
Bizarrement je ne trouve rien en face de cet extrait de facturation Free (je suppose que l'intrusion est antérieure) :
Code:
21/11/1013:3500:27:240034902733170 Espagne - Mobile5.206 21/11/1014:1000:42:290034902733170 Espagne - Mobile8.072
Au final, je vais sécuriser Asterisk comme suit :
1) Blocage des scans via la recette de fastm3 (en test, qques soucis avec le register des providers voip).
2) Fail2ban
3) Changement de tous les passwords et choisir de + robustes.
4) Script déclenchant un mail (voire bloquant Asterisk) au bout de xx appels en 1h. (si vous avez des exemples, je suis preneur ;-)
Mes questions du soir :
A) Certains considèrent que la machine est à risque et conseillent de tout formater/réinstaller (risque de rootkit). Qu'en pensez-vous ?
B) Considérez-vous que la machine est 100% protégée des attaques extérieures en appliquant 1) et 2) ? Si non, pourquoi ?
C) Si 1) est correct, 2) est inutile, non ?
D) Avez-vous des remarques ou des conseils sur mon plan de sécurisation ?