TEAMFORREST

Previously we posted a little script for quickly checking your asterisk log for failed peer registrations. Building on that script, and with the use of iptables and cron, you can easily (and automatically) block flooding traffic from your system. Iptables, a linux command line program to filter IP traffic, provides high level packet filtering before the traffic can be used to corrupt a program. Cron, the linux time scheduler, enables you to automatically run commands at scheduled time periods.

Set up IP Tables

We will not be discussing the intricacies of iptables in this post. There are excellent tutorials on iptables, and with most things linux, help is only a google away. To help identify the traffic blocked as asterisk related, a new chain will be created appropriately called… asterisk.

Here’s how to add the new chain:

iptables -N asterisk
iptables -A INPUT -j asterisk
iptables -A FORWARD -j asterisk

This will help identify hosts blocked for failed registrations.

Asterisk’s Log for Failed Registrations

In most cases of a sip flood attack, the host attempts registration to Asterisk. These hosts are identified in the Asterisk log (/var/log/messages) as “No matching peer found.” The following perl script scans /var/log/messages for these patterns, strips the IP address, and puts the IP address into an array.

After the file has been read, the IP addresses are counted (each count is a failed attempt), compared against the existing blocked hosts, and new occurrences are blocked. With this script we are blocking any host after the 4th failed attempt.

Here’s the script (last updated 21 APR 2010):

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);
my %currblocked;
my %addblocked;
my $action;

open (MYINPUTFILE, "/var/log/asterisk/messages") or die "\n", $!, "Does log file file exist\?\n\n";

while (<MYINPUTFILE>) {
	my ($line) = $_;
	chomp($line);
	if ($line =~ m/\' failed for \'(.*?)\' - No matching peer found/) {
		push(@failhost,$1);
	}
}

my $blockedhosts = `/sbin/iptables -n -L asterisk`;

while ($blockedhosts =~ /(.*)/g) {
	my ($line2) = $1;
	chomp($line2);
	if ($line2 =~ m/(\d+\.\d+\.\d+\.\d+)(\s+)/) {
		$currblocked{ $1 } = 'blocked';
	}
}

while (my ($key, $value) = each(%currblocked)){
	print $key . "\n";
}

if (@failhost) {
	&count_unique(@failhost);
	while (my ($ip, $count) = each(%addblocked)) {
		if (exists $currblocked{ $ip }) {
			print "$ip already blocked\n";
		} else {
			$action = `/sbin/iptables -I asterisk -s $ip -j DROP`;
			print "$ip blocked. $count attempts.\n";
		}
	}
} else {
	print "no failed registrations.\n";
}

sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;
    map {($addblocked{ $_ } = ${count{$_}})} sort keys(%count);
}

Schedule the script with cron

The final step is to schedule your script to run every X minutes in cron. We’ve chosen to run our script every 2 minutes, but you can change this to 1 minute or any other time period you choose. Just remember… you can receive thousands of attempts within 2 minutes.

If you have named your script check-failed-regs.pl and placed it in your /usr/local/bin directory, your cron statement would look like this:

*/2 * * * * perl /usr/local/bin/check-failed-regs.pl &> /dev/null

Questions? Comments? We love feedback. Or, contact us for more information.

I guess this might be better titled as the Quick and Dirty Perl Script… but here we go:

#!/usr/bin/perl -w
use strict;
use warnings;
my (@failhost);

open (MYINPUTFILE, "/var/log/asterisk/$ARGV[0]") or die "\n", $!, "Does log file file exist\?\n\n";

while (<MYINPUTFILE>) {
	my ($line) = $_;
	chomp($line);
	if ($line =~ m/\' failed for \'(.*?)\' - No matching peer found/) {
		push(@failhost,$1);
	}
}

if (@failhost) {
	&count_unique(@failhost);
} else {
	print "no failed registrations.\n";
}

sub count_unique {
    my @array = @_;
    my %count;
    map { $count{$_}++ } @array;

	#print them out:

    map {print "$_ = ${count{$_}}\n"} sort keys(%count);

}

And while we duck from @Merlyn’s criticisms (although we love his criticism), the basic usage is:

perl [Whatever you named it].pl messages
or perl [Whatever you named it].pl messages.1

Results look like:

184.73.53.22 = 13586
64.76.45.100 = 9895
78.46.87.14 = 9960

Or “no failed registrations.” if you have no failed attempts.

Vulnerability scanning and assessment identifies security risks within your network. Team Forrest highly recommends proactive, routine scanning to help assess, react, and improve your network security.

Utilizing a variety of techniques, applications, and tools, Team Forrest remotely examines your network over the public Internet. identified weaknesses and vulnerabilities are assessed for risk and detailed, with recommendations, to the customer.

What is a Vulnerability Scan?

A vulnerability scan assesses computer systems, networks, and applications for weaknesses. Vulnerability Scans are recommended (and may be required) for any business conducting e-commerce, hosting a server with a publicly accessible IP Address, or allowing remote access to company assets. Team Forrest recommends a comprehensive scan, including:

1. Checking for vulnerabilities of remote systems
2. Checking for misconfiguration of remote systems, software, and services
3. Checking commonly used passwords
4. Checking Denial of Service sensitivity
5. Checking for Web Vulnerability (such as SQL Injection)

How does a Vulnerability Assessment Work?

Team Forrest performs the scan remotely, accessing your network over the Public Internet. There is nothing for you to do and no software will need to be installed. Our servers will simply assess your network remotely.

Once the scan completes, Team Forrest provides a detailed assessment including identified risks and vulnerabilities, as well as their severity level. Team Forrest also provides recommendations and assisting in correcting any identified flaws or vulnerabilities.

For more information on a Team Forrest Vulnerability Scan / Assessment, please call 888-295-0025 or contact us for details.

If you’re running Firefox 3.6, Mozilla strongly recommends you update to version 3.6.2. The new version corrects a critical security hole allowing an attacker to crash your browser and/or run arbitrary code on your machine.

For more information, check out the post at VoIP Tech Chat.

Update On 7/16/2009, Firefox released version 3.5.1 to address the issue. Read Update Below!

Mozilla.com released details today on a critical JavaScript vulnerability in the latest version of the popular Firefox 3.5 Web Browser. The vulnerability allows execution of code on the client (or target) system simply by visiting a website.

No patch is currently available for the flaw and several organizations (such as Scurnia, The Sans Institute, and the United States Computer Emergency Response Team) are recommending the complete disabling of JavaScript in Firefox (see below). Additionally, The Sans Institute is recommending the use of the NoScript Firefox plugin (that enables javascript only from white-listed sites).

Additional information:

• Mozilla Security Blog Post
• Secunia.com Advisory
• United States Computer Emergency Response Team
• NoScript Plugin

How to Disable the Javascript Engine in Firefox:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to false.

Mozilla advises that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure.  Once users have been received the security update containing the fix for this issue, they should restore the JIT repeating the process above and setting the javascript.options.jit.content value to true.

Update — 7/16/2009

Firefox has introduced version 3.5.1 to address the security risk, as posted on their developer blog:

Firefox 3.5.1 update is now available for download

As part of the Mozilla Corporation’s ongoing security and stability process, Firefox 3.5.1 is now available for Windows, Mac, and Linux users as a free download from www.firefox.com.

We strongly recommend that all Firefox 3.5 users upgrade to this latest release. If you already have Firefox 3.5, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu.

For a list of changes and more information, please see the Firefox 3.5.1 release notes.

Please note: If you’re still using Firefox 2.0.0.x, this version is no longer supported and contains known security vulnerabilities. Please upgrade to Firefox 3.5 by downloading Firefox 3.5.1 from www.firefox.com.

This entry was posted by beltzner on Thursday, July 16th, 2009 at 6:34 pm.

Team Forrest offers Asterisk Consulting Services for a wide variety of VoIP, Call Center, and other Telephony Based needs. From small, family business to large Corporations, Team Forrest’s simple philosophy of “Help the Client” ensures we provide great service to meet your needs.

Asterisk Consulting

From carrier services to traditional PBX services, Team Forrest’s Asterisk Consulting Service provides you the solution you need. Services include:

• IVR Development
• Custom AGI Scripting / Programming
• OpenSER Integration
• Calling Card Systems
• Call Center / Sales Queue Development
• Call Recording (call spying, call barging, whisper, etc.)
• Database Integration (Microsoft SQL MSSQL, MySQL, Oracle, etc.)
• Custom Solutions

Emergency Asterisk Support

When a problem comes along, we provide 24/7 Emergency Support to bring your system back to life. Both new and existing clients benefit from our immediate support response.

For immediate support please contact us or call +1 (212) 937-7844.

Remote and Onsite Support

Team Forrest offers immediate remote assistance across the globe. Local, onsite service is also available, with quick response to Michigan, Florida, and New York locations.

Asterisk? Ask us.

With Team Forrest, you get professional consulting at a great price — increased productivity at a lower cost. To see how Team Forrest can help improve your communication needs, contact us. We enjoy talking with clients and look forward to seeing how we can help you.

Asterisk, developed and released by Digium, Inc., is the world’s leading open source telephony engine and tool kit. Asterisk empowers communication with it’s flexibility. Whether working as a simple office telephone system, a robust Call Center platform, or anything in-between, Asterisk provides advanced features at a very low deployment cost.  Asterisk is released as open source under the GNU General Public License (GPL), and it is available for download free of charge. Asterisk is the most popular open source software available, with the Asterisk Community being the top influencer in VoIP.

Digium announced today a Remote Crash Vulnerability in the SIP Channel Driver affecting recent versions of Asterisk 1.4 and 1.6 branches. The full Advisory can be read directly from the Asterisk Project Security Advisory:

Description: When configured with pedantic=yes the SIP channel driver performs extra request URI checking on an INVITE received as a result of a SIP spiral. As part of this extra checking the headers from the outgoing SIP INVITE sent and the received SIP INVITE are compared. The code incorrectly assumes that the string for each header passed in will be non-NULL in all cases. This is incorrect because if no headers are present the value passed in will be NULL.

The values passed into the code are now checked to be non-NULL before being compared.

Resolution: Upgrade to revision 174082 of the 1.4 branch, 174085 of the 1.6.0 branch, 174086 of the 1.6.1 branch, or one of the releases noted below.

The pedantic option in the SIP channel driver can also be turned off to prevent this issue from occurring.

Affected Versions

1.4.x (Versions 1.4.22, 1.4.23, 1.4.23.1)
1.6.0.x (All versions prior to 1.6.0.6)
1.6.1.x (All versions prior to 1.6.1.0-rc2)
C.x.x (Only version C.2.3)

If you need assistance in updating or reviewing your Asterisk installation, please contact Team Forrest today.

Digium, the makers of Asterisk, announced today a new release of the Asterisk Telephony Software. The updated software contains a security release affecting all previously released versions of the software. It is recommended that you make sure you have upgraded to the most current version of this software; available for free from Digium.

The announcement issued follows:

The Asterisk.org development team has announced the release of Asterisk 1.2.31.1, 1.4.22.2, 1.4.23.1, and 1.6.0.5. These releases are available for immediate download from http://downloads.digium.com/.

This update for Asterisk includes a security fix for chan_iax2. Please see the associated security adivisory for more details:

http://downloads.digium.com/pub/security/AST-2009-001.html

These updates are a fix to a previous security release (released as versions 1.2.31, 1.4.22.1, and 1.6.0.3).

The new versions are being released after additional testing revealed some issues with the way that scanning for users was blocked. Those issues have been corrected in this release.

This security issue affects the 1.2, 1.4, and 1.6 series of Asterisk.

Also note, that Asterisk 1.6.0.4-rc1 was released yesterday prior to the security update. That release has been removed as there will be no 1.6.0.4 release, but rather will be reincarnated as 1.6.0.6-rc1. The reason for the dead release is to avoid 5 digit release numbers.

ChangeLogs for the various releases are available at:

http://downloads.digium.com/pub/asterisk/ChangeLog-1.2.31.1

http://downloads.digium.com/pub/asterisk/ChangeLog-1.4.22.2

http://downloads.digium.com/pub/asterisk/ChangeLog-1.4.23.1

http://downloads.digium.com/pub/asterisk/ChangeLog-1.6.0.5

Thank you for your continued support of Asterisk!

If you would like assistance with upgrading your software, or simply would like us to verify which version you are using, please contact Team Forrest today. We will be glad to assist you.

Recently, the FBI issued an advisory warning users that Asterisk (the open source VoIP / PBX software) could be compromised and then used in vishing attacks. First, If you are running an old verison of Asterisk, you should upgrade to the newer one. Any Team Forrest client that is concerned should contact helpme@teamforrest.com for a free evaluation. If you’re not a Team Forrest client, email, call, or contact us to check your platform for you— free of charge.

Secondly, don’t worry. From what we can tell, this is an old bug fixed in March of 2008. But, as always, you should run the most recent stable version of Asterisk. Not for the FBI warning; but mostly because it resolves other issues discovered. The nature of software is to find, fix, and update. Not a big deal. Again, if you’re concerned, contact Team Forrest today for a free evaluation.

For more info, please check out:

• VoIP Tech Chat discusses the Recent FBI Warning
• Garrett Smith discusses the Recent FBI Warning
• Michael Graves discusses the Recent FBI Warning

Asterisk (created and maintained by Digium) is free, open source software provided under the GNU General Public License (GPL). Asterisk is the most popular open source VoIP software available, with the Asterisk Community being the top influencer in VoIP.

A compromised University of Florida server allowed access to more than 300,000 patient records. The records contained information such as birth dates, names, addresses, and social security numbers. Not a great example for corporate America. Let’s learn from their mistake.

• VoIP Tech Chat: University of Florida Fails to Protect Personal Information, Again