So I was bored in a teleconference and re-did something I started a while back. Are you all watching your logs? Do you know who's connecting or at least trying to connect to you? Do you have implicit firewall rules stating who can and who can't connect to your PBX?

Since I do a lot of trunks on a carrier level as well as have a slew of managed boxes, it becomes difficult creating all inclusive rules especially when my clients have remote workers. So whats the next best thing in order to stop them? Well you could go with Snort and butcher up some insane rule, OSSEC - the same a lot of butchering... Or, you can go right to the source... Asterisk and good old fashion systems administration.

This can be saved as whatever you'd like to save it as. I called it splinter because I wanted to splinter from this boring conference call... You can call it from cron to run as often as you'd like. Again, because of my environment I have a tweaked variation of this that checks every 5 minutes and blocks out offenders for an hour.

If someone hasn't called me to complain, they will remain blocked. Way I see things... You had ample opportunity to call me complaining you couldn't get your SIP phone or ATA to register. Take a good look at the script, its simple, no voodoo magic/metrix/marketing. Pure simple systems administration. Change the email address (obviously) so you can get an alert to any new blocks. Double check to make sure this doesn't overlap any iptables rules you may already have in place.



# Splinter.sh
# J. Oquendo / sil@{tormenting||infiltrated}.net
# Pseudo Toll Fraud Blocker
#
# Monitors Asterisk's messages for errors associated
# with usernames and passwords. Its purpose it to stop
# (via iptables) someone from compromising an account
# on your Asterisk server.

# Let's be realistic, if someone hasn't figured out
# they have an issue with their registration and contacted
# an administrator after say 50 attempts... There is
# no reason to keep allowing multiple registration attempts.

splinter=`basename $0`
TMPFILE=`mktemp /tmp/${splinter}.XXXXXX` || exit 1
messages=/var/log/asterisk/messages

# Check messages file for wrong password
# sort them uniquely and remove letters
# leaving only IP addresses placing them
# in a temporary file

tail -n 5000 $messages|\
awk '/Wrong password/{print $10}'|\
sed 's:'\''::g'|sort -u|grep -vi [a-z] >> $TMPFILE

# Go through this temp file, re-sort the
# potential offender, check how many times
# they tried to unsuccessfully register
# if over 50 times, block them

for i in `cat $TMPFILE`

do

number=`tail -n 5000 $messages|grep $i|awk -F @ '{print $1}'|awk -F : '{print $5}'|sort -u`
count=`grep $i $messages|wc -l`

if [ `grep $i $messages|wc -l` -gt 50 ]

then
echo "iptables -A INPUT -s $i -p udp --dport 5060:5061 -j REJECT --reject-with icmp-host-prohibited" |\
grep -vi 69.132.178.76|`which sh`
echo "iptables -A INPUT -s $i -p tcp --dport 5060:5061 -j REJECT --reject-with icmp-host-prohibited" |\
grep -vi 69.132.178.76|`which sh`

printf "$i has been blocked from connecting to us"|mail -s "Asterisk Blocks" youremail@address-here.com

fi

done

rm -f $TMPFILE