<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    M&aacute;rcio, gerando uma discurs&atilde;o saud&aacute;vel sobre aspecto seguran&ccedil;a:<br>
    &nbsp;&nbsp;&nbsp; Trabalho a 13 anos c/ Linux e Firewall e a 4 c/ Asterisk.&nbsp; Ja
    trabalhei e ainda fa&ccedil;o algumas instala&ccedil;&otilde;es(de vez em quando) de
    Fortinet, SonicWall e Linux/Iptables/Snort. <br>
    Bom, quando precisamos colocar uma m&aacute;quina Asterisk exposta na
    Internet p/ que clientes externos possa se logar via SIP, a melhor
    alternativa &eacute; criando tuneis com OpenVPN usando TAP+SSL.&nbsp; Por&eacute;m nem
    sempre em virtudes de custo essa solu&ccedil;&atilde;o torna-se vi&aacute;vel e
    precisamos expor nosso Asterisk na Internet, tanto diretamente c/ um
    IP P&uacute;blico ou conforme solu&ccedil;&atilde;o apresentada por vc abaixo.<br>
    &nbsp;&nbsp;&nbsp; Eu, particulamente discordo de sua solu&ccedil;&atilde;o que postou abaixo e
    prefiro usar IP-P&uacute;blico no Asterisk.&nbsp; Veja os motivos:<br>
    <br>
    1 - No modelo que apresenta, seu Asterisk n&atilde;o fica livre de falhas
    ou Bugs no m&oacute;dulo SIP do Asterisk.&nbsp; O protoco SIP/UDP na forma que
    apresenta abaixo fica exposto na mesma forma como seu Asterisk
    estivesse c/ IP-P&uacute;blico, al&eacute;m de poder gerar anomalias do NAT com
    SIP.&nbsp; Se o SIP n&atilde;o estiver liberado externo ningu&eacute;m externamente ir&aacute;
    se logar no seu server correto? Um atacante pode facilmente fazer
    BruteForce em seu servidor no modelo abaixo como se o mesmo
    estivesse com IP-Publico.&nbsp; Uma ferramenta p/ isso e que uso em
    laborat&oacute;rio &eacute; o sipvicious.&nbsp;&nbsp;&nbsp; N&atilde;o sei o porque, mas sempre quando
    sofro esses ataques, todos s&atilde;o oriundos de redes externas, ou seja,
    fora do Brasil.&nbsp; Acho que at&eacute; na lista todos os cologas apenas
    sofrem ataques de brute force externo tamb&eacute;m...<br>
    <br>
    2 - Bom, passando da esfera de um filtro de pacotes, uma grande
    solu&ccedil;&atilde;o seria an&aacute;lise de cabe&ccedil;alho/string de pacotes do SIP p/
    identificar anomalia no mesmo e ai sim bloquear, como ja existe p/
    HTTP, SMTP, etc...&nbsp; Infelizmente nenhum dos firewalls propriet&aacute;rio
    que conhe&ccedil;o n&atilde;o possui essa t&eacute;cnica.<br>
    <br>
    3 - Bom, resumindo minhas coloca&ccedil;&otilde;es, eu monto meus projetos da
    seguinte forma:<br>
    &nbsp;&nbsp;&nbsp; 3.1 - Quando se torna necess&aacute;rio expor o Asterisk ao IP
    P&uacute;blico.&nbsp; "Eu possuo 4 clientes c/ esse modelo e nunca tive
    problemas. Por&eacute;m tentativas foram v&aacute;rias"<br>
    &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; Internet &lt;&gt; Router &lt;&gt;&nbsp; Asterisk<br>
    &nbsp;&nbsp;&nbsp; 3.2 - Se todos os ips p&uacute;blicos que ir&atilde;o se logar via SIP s&atilde;o
    fixos, libero no firewall(iptables) apenas esses IP&acute;s p/ se logarem.<br>
    &nbsp;&nbsp;&nbsp; 3.3 - Caso n&atilde;o sei de onde esses IP&acute;s vir&atilde;o, Libero a Range do
    BR conforme ja postei aqui e fecho todas as portas TCP, abrindo
    apenas as que irei usar como SSH, HTTP, etc..<br>
    &nbsp;&nbsp;&nbsp; 3.4 - Depois do filtro de pacotes, instale um IDS p/ analise de
    pacotes mal forjados em cima do seu Asterisk e um bom exemplo p/
    isso &eacute; usar o SNORT c/ uma rule pronta Asterisk.
    <a class="moz-txt-link-freetext" href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html">http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html</a><br>
    &nbsp;&nbsp;&nbsp; 3.5 - Em 95% dos casos os ataques em cima do Asterisk s&atilde;o
    Brute-Force em cima do SIP p/ tentar se logar.&nbsp; Dificilmente os
    ataques em cima do SIP s&atilde;o de Stack-Overflow p/ se conseguir um
    shell no sistema por falha do Asterisk.&nbsp; <br>
    &nbsp;&nbsp;&nbsp; Enfim, s&atilde;o v&aacute;rios cen&aacute;rios e concordo com vc quando diz p/
    evitar expor seu Asterisk c/ IP P&uacute;blico.&nbsp; Devemos expor o m&iacute;nimo.&nbsp;
    Por&eacute;m nem sempre &eacute; poss&iacute;vel.......<br>
    &nbsp;&nbsp;&nbsp; <br>
    Desculpa se fugi um pouco do escopo da lista que &eacute; Asterisk, mas
    creio que &eacute; um assunto de suma import&acirc;ncia par telefonia IP.&nbsp; Que &eacute;
    a seguan&ccedil;a !!!<br>
    <br>
    <br>
    <br>
    Em 31/07/2013 13:51, Marcio - Google escreveu:
    <blockquote
cite="mid:CABZMeU3=HLF0dV-4fdA14BtdhOQZ20XSQ4Z0xOFW9TJD2aPYOA@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_default"
          style="font-family:arial,helvetica,sans-serif">IP p&uacute;blico no
          server?!?!?! My Good, algu&eacute;m realmente faz uma sandice
          dessas???</div>
        <div class="gmail_default"
          style="font-family:arial,helvetica,sans-serif">
          <br>
        </div>
        <div class="gmail_default"
          style="font-family:arial,helvetica,sans-serif">Acho que vou
          desencarnar e n&atilde;o terei lido tudo ... rsrsrsrsrsr</div>
        <div class="gmail_default"
          style="font-family:arial,helvetica,sans-serif">
          <br>
        </div>
        <div class="gmail_default"
          style="font-family:arial,helvetica,sans-serif">No m&iacute;nimo, mas
          m&iacute;nimo mesmo: Internet &lt;&gt; Router &lt;&gt; Firewall
          &lt;&gt; [NAT] &lt;&gt; Asterisk</div>
        <div class="gmail_default"
          style="font-family:arial,helvetica,sans-serif">
          <br>
        </div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div dir="ltr"><br>
            [...]'s<br>
            <br>
            Marcio
            <div><br>
            </div>
            <div>
              <div style="font-family:arial;font-size:small">========================================</div>
              <div style="font-family:arial;font-size:small">
                ########### Campanha Ajude o Marcio! ###########</div>
              <div style="font-family:arial;font-size:small"><a
                  moz-do-not-send="true"
                  href="http://sosmarcio.blogspot.com.br/"
                  style="color:rgb(17,85,204)" target="_blank">http://sosmarcio.blogspot.com.br/</a></div>
              <div style="font-family:arial;font-size:small"><a
                  moz-do-not-send="true"
                  href="http://www.vakinha.com.br/VaquinhaP.aspx?e=195793"
                  style="color:rgb(17,85,204)" target="_blank">http://www.vakinha.com.br/VaquinhaP.aspx?e=195793</a><br>
              </div>
              <div style="font-family:arial;font-size:small">
                ========================================</div>
            </div>
          </div>
        </div>
        <br>
        <br>
        <div class="gmail_quote">Em 31 de julho de 2013 12:37, Danilo
          Almeida <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:daniloricalmeida@gmail.com" target="_blank">daniloricalmeida@gmail.com</a>&gt;</span>
          escreveu:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">surgiu uma d&uacute;vida referente a esses ataques,
              como sou inexperiente nessa parte de redes, n&atilde;o sei como
              funciona essas tentativas...
              <div><br>
              </div>
              <div>como que eles descobrem o servidor na rede?</div>
              <div>como conseguem fazer tantas tentativas de ataque
                simultaneamente?</div>
              <div><br>
              </div>
              <div>se algu&eacute;m puder me esclarecer um pouco sobre esse
                assunto eu agrade&ccedil;o... at&eacute; mesmo porque, precisamos
                conhecer as t&eacute;cnicas para nos proteger.</div>
              <div><br>
              </div>
              <div>Obrigado</div>
            </div>
            <div class="gmail_extra">
              <br>
              <br>
              <div class="gmail_quote">Em 31 de julho de 2013 13:33,
                Guilherme Rezende <span dir="ltr">&lt;<a
                    moz-do-not-send="true"
                    href="mailto:asterisk@guilherme.eti.br"
                    target="_blank">asterisk@guilherme.eti.br</a>&gt;</span>
                escreveu:
                <div>
                  <div class="h5">
                    <br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000"> &nbsp;&nbsp;&nbsp; Gente,
                        eu n&atilde;o uso Fail2ban.&nbsp;&nbsp; Como esses ataques s&atilde;o
                        oriundos de redes externas ao BR, fiz o bloqueio
                        de todas as redes cujam origem n&atilde;o s&atilde;o BR. E
                        resolveu!!&nbsp; N&atilde;o tenho problemas c/ ataques
                        mais...&nbsp; Os logs do meu Asterisk nunca mais
                        exibiram tentativa de logar via sip nos meus
                        servidores.&nbsp; Veja o c&oacute;digo abaixo que &eacute; bem
                        simples, libero apenas as redes que est&atilde;o
                        listadas, depois fecho tudo.&nbsp; Se n&atilde;o tiver
                        necessidade de ter algu&eacute;m externo que logue no
                        seu servidor, o c&oacute;digo abaixo resolve.&nbsp; Desative
                        todas suas regras de iptables, desative todos os
                        firewall&acute;s e rode o script abaixo.<br>
                        <br>
                        #!/bin/bash<br>
                        ipt=/sbin/iptables<br>
                        $ipt -F<br>
                        $ipt -A INPUT -i eth2 -s <a
                          moz-do-not-send="true"
                          href="http://172.16.5.0/24" target="_blank">172.16.5.0/24</a>
                        -p udp -j ACCEPT<br>
                        $ipt -A INPUT -i eth2 -s <a
                          moz-do-not-send="true"
                          href="http://186.0.0.0/8" target="_blank">186.0.0.0/8</a>
                        -p udp -j ACCEPT<br>
                        $ipt -A INPUT -i eth2 -s <a
                          moz-do-not-send="true"
                          href="http://187.0.0.0/8" target="_blank">187.0.0.0/8</a>
                        -p udp -j ACCEPT<br>
                        $ipt -A INPUT -i eth2 -s <a
                          moz-do-not-send="true"
                          href="http://177.0.0.0/8" target="_blank">177.0.0.0/8</a>
                        -p udp -j ACCEPT<br>
                        $ipt -A INPUT -i eth2 -s <a
                          moz-do-not-send="true"
                          href="http://179.0.0.0/8" target="_blank">179.0.0.0/8</a>
                        -p udp -j ACCEPT<br>
                        $ipt -A INPUT -i eth2 -s <a
                          moz-do-not-send="true"
                          href="http://189.0.0.0/8" target="_blank">189.0.0.0/8</a>
                        -p udp -j ACCEPT<br>
                        $ipt -A INPUT -i eth2 -s <a
                          moz-do-not-send="true"
                          href="tel:198.50.96.130" value="+551985096130"
                          target="_blank">198.50.96.130</a> -p udp -j
                        ACCEPT<br>
                        $ipt -A INPUT -i eth2 -s <a
                          moz-do-not-send="true"
                          href="http://200.0.0.0/8" target="_blank">200.0.0.0/8</a>
                        -p udp -j ACCEPT<br>
                        $ipt -A INPUT -i eth2 -s <a
                          moz-do-not-send="true"
                          href="http://201.0.0.0/8" target="_blank">201.0.0.0/8</a>
                        -p udp -j ACCEPT<br>
                        $ipt -A INPUT -i eth2 -p udp -j DROP<br>
                        <br>
                        <br>
                        <br>
                        Em 31/07/2013 13:12, Danilo Almeida escreveu:
                        <div>
                          <div>
                            <blockquote type="cite">
                              <div dir="ltr">recebi v&aacute;rias tentativas
                                neste final de semana, por&eacute;m, o fail2ban
                                bloqueiou.
                                <div><br>
                                </div>
                                <div>DROP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; all&nbsp; --&nbsp; <a
                                    moz-do-not-send="true"
                                    href="tel:173.242.120.42"
                                    value="+17324212042" target="_blank">173.242.120.42</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                                  anywhere<br>
                                  <table border="0" cellpadding="4"
                                    cellspacing="0" height="300"
                                    width="297">
                                    <tbody>
                                      <tr>
                                        <td align="right">Nome do Host:</td>
                                        <td align="left" width="198"><a
                                            moz-do-not-send="true"
                                            href="tel:173.242.120.42"
                                            value="+17324212042"
                                            target="_blank">173.242.120.42</a></td>
                                      </tr>
                                      <tr>
                                        <td align="right">IP Address:</td>
                                        <td align="left"><a
                                            moz-do-not-send="true"
                                            href="tel:173.242.120.42"
                                            value="+17324212042"
                                            target="_blank">173.242.120.42</a></td>
                                      </tr>
                                      <tr>
                                        <td align="right">Pa&iacute;s:</td>
                                        <td align="left"><a
                                            moz-do-not-send="true"
                                            href="http://en.wikipedia.org/wiki/united%20states"
                                            target="_blank"> United
                                            States</a> <img
                                            moz-do-not-send="true"
                                            alt="united states"
                                            align="absmiddle"></td>
                                      </tr>
                                      <tr>
                                        <td align="right">C&oacute;digo do
                                          pa&iacute;s:</td>
                                        <td align="left">US (USA)</td>
                                      </tr>
                                      <tr>
                                        <td align="right">Regi&atilde;o:</td>
                                        <td align="left"><a
                                            moz-do-not-send="true"
                                            href="http://en.wikipedia.org/wiki/Pennsylvania"
                                            target="_blank">Pennsylvania</a></td>
                                      </tr>
                                      <tr>
                                        <td align="right">Cidade:</td>
                                        <td align="left">Clarks Summit</td>
                                      </tr>
                                      <tr>
                                        <td align="right">C&oacute;digo postal:</td>
                                        <td align="left">18411</td>
                                      </tr>
                                      <tr>
                                        <td align="right">C&oacute;digo tel.:</td>
                                        <td align="left"><a
                                            moz-do-not-send="true"
                                            href="http://en.wikipedia.org/wiki/Area_code#United_States"
                                            target="_blank">+1</a></td>
                                      </tr>
                                      <tr>
                                        <td align="right">Longitude:</td>
                                        <td align="left">-75.728</td>
                                      </tr>
                                      <tr>
                                        <td align="right">Latitude:</td>
                                        <td align="left">41.4486<br>
                                        </td>
                                      </tr>
                                    </tbody>
                                  </table>
                                </div>
                                <div class="gmail_extra"><br>
                                </div>
                                <div class="gmail_extra">
                                  <div class="gmail_extra">[2013-07-27
                                    15:09:35] NOTICE[1775] chan_sip.c:
                                    Registration from '"shuang" <a
                                      moz-do-not-send="true">&lt;sip:shuang@IP-Servidor&gt;</a>'
                                    failed for '<a
                                      moz-do-not-send="true"
                                      href="http://173.242.120.42:5061"
                                      target="_blank">173.242.120.42:5061</a>'
                                    - Wrong password</div>
                                  <div><br>
                                  </div>
                                  <div>
                                    <div>[2013-07-28 15:09:43]
                                      NOTICE[1775] chan_sip.c:
                                      Registration from '"chu" <a
                                        moz-do-not-send="true">&lt;sip:chu@IP-servidor&gt;</a>'
                                      failed for '<a
                                        moz-do-not-send="true"
                                        href="http://173.242.120.42:5081"
                                        target="_blank">173.242.120.42:5081</a>'
                                      - Wrong password</div>
                                  </div>
                                  <div><br>
                                  </div>
                                  <div>[2013-07-29 15:09:45]
                                    NOTICE[1775] chan_sip.c:
                                    Registration from '"chu" <a
                                      moz-do-not-send="true">&lt;sip:chu@IP-servidor&gt;</a>'
                                    failed for '<a
                                      moz-do-not-send="true"
                                      href="http://173.242.120.42:5081"
                                      target="_blank">173.242.120.42:5081</a>'
                                    - Wrong password<br>
                                  </div>
                                  <div><br>
                                  </div>
                                  <div>[2013-07-30 15:09:47]
                                    NOTICE[1775] chan_sip.c:
                                    Registration from '"chu" <a
                                      moz-do-not-send="true">&lt;sip:chu@IP-servido&gt;</a>'
                                    failed for '<a
                                      moz-do-not-send="true"
                                      href="http://173.242.120.42:5081"
                                      target="_blank">173.242.120.42:5081</a>'
                                    - Wrong password</div>
                                  <div class="gmail_extra"><br>
                                  </div>
                                  se observarem, eu bloqueio as
                                  tentativas por 24 horas, sendo assim,
                                  o invasor permanecia tentando no dia
                                  seguinte, agora dei um BAN permanente
                                  nele... rsrs</div>
                                <div class="gmail_extra"> <br>
                                </div>
                                <div class="gmail_extra"><br>
                                  <div class="gmail_quote">Em 31 de
                                    julho de 2013 12:50, Thiago Anselmo
                                    <span dir="ltr">&lt;<a
                                        moz-do-not-send="true"
                                        href="mailto:thiagoo.anselmoo@gmail.com"
                                        target="_blank">thiagoo.anselmoo@gmail.com</a>&gt;</span>
                                    escreveu:<br>
                                    <blockquote class="gmail_quote"
                                      style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                      <div dir="ltr">Amigo,
                                        <div><br>
                                        </div>
                                        <div>J&aacute; teve outro amigo aqui da
                                          lista que teve o mesmo
                                          problema, e o mesmo o fail2ban
                                          n&atilde;o pegou, pois eles n&atilde;o
                                          atacam penas 5060, existe
                                          outras fomras!!&nbsp;<br>
                                          <br>
                                          Como est&aacute; ligado seu PABX?
                                          Est&aacute; atr&aacute;s de NAT ou
                                          diretamente um IP p&uacute;blico
                                          ligado a ele?</div>
                                        <div><br>
                                        </div>
                                        <div>me diga que podemos
                                          realizar formas de fazer com o
                                          IPTABLES!! E fica bom!!!</div>
                                        <div>Bloqueia tudo e libera
                                          apenas para quem voc&ecirc; deseja!</div>
                                      </div>
                                      <div class="gmail_extra"><br>
                                        <br>
                                        <div class="gmail_quote"> Em 31
                                          de julho de 2013 12:40, Marcio
                                          - Google <span dir="ltr">&lt;<a
                                              moz-do-not-send="true"
                                              href="mailto:marciorp@gmail.com"
                                              target="_blank">marciorp@gmail.com</a>&gt;</span>
                                          escreveu:
                                          <div>
                                            <div><br>
                                              <blockquote
                                                class="gmail_quote"
                                                style="margin:0px 0px
                                                0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                                <div dir="ltr">
                                                  <div
                                                    style="font-family:arial,helvetica,sans-serif">Exatamente

                                                    o que o Hudson disse
                                                    ...</div>
                                                  <div
                                                    style="font-family:arial,helvetica,sans-serif">Falha

                                                    no dimensionamento e
                                                    configura&ccedil;&atilde;o.</div>
                                                </div>
                                                <div class="gmail_extra"><br
                                                    clear="all">
                                                  <div>
                                                    <div dir="ltr"><br>
                                                      [...]'s<br>
                                                      <br>
                                                      Marcio
                                                      <div><br>
                                                      </div>
                                                      <div>
                                                        <div
                                                          style="font-family:arial;font-size:small">========================================</div>
                                                        <div
                                                          style="font-family:arial;font-size:small">
                                                          ###########
                                                          Campanha Ajude
                                                          o Marcio!
                                                          ###########</div>
                                                        <div
                                                          style="font-family:arial;font-size:small"><a
moz-do-not-send="true" href="http://sosmarcio.blogspot.com.br/"
                                                          style="color:rgb(17,85,204)"
target="_blank">http://sosmarcio.blogspot.com.br/</a></div>
                                                        <div
                                                          style="font-family:arial;font-size:small"><a
moz-do-not-send="true"
                                                          href="http://www.vakinha.com.br/VaquinhaP.aspx?e=195793"
style="color:rgb(17,85,204)" target="_blank">http://www.vakinha.com.br/VaquinhaP.aspx?e=195793</a><br>
                                                        </div>
                                                        <div
                                                          style="font-family:arial;font-size:small">
========================================</div>
                                                      </div>
                                                    </div>
                                                  </div>
                                                  <br>
                                                  <br>
                                                  <div
                                                    class="gmail_quote">Em
                                                    31 de julho de 2013
                                                    11:06, Hudson
                                                    Cardoso <span
                                                      dir="ltr">&lt;<a
                                                        moz-do-not-send="true"
href="mailto:hudsoncardoso@hotmail.com" target="_blank">hudsoncardoso@hotmail.com</a>&gt;</span>
                                                    escreveu:
                                                    <div>
                                                      <div> <br>
                                                        <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0px
                                                          0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                                          <div>
                                                          <div dir="ltr"><font
style="font-size:12pt" face="Arial" size="3">&nbsp; &nbsp;O Fail2ban n&atilde;o pegou,
                                                          porque ele ja
                                                          conseguiu
                                                          passar, isso
                                                          significa que
                                                          o teu firewall
                                                          n&atilde;o est&aacute;
                                                          corretamente</font>
                                                          <div><font
                                                          style="font-size:12pt"
                                                          face="Arial"
                                                          size="3">dimensionado,

                                                          e/ou
                                                          configurado.</font></div>
                                                          <div><font
                                                          style="font-size:12pt"
                                                          face="Arial"
                                                          size="3">&nbsp; No
                                                          meu se fizer 3
                                                          tentativas,
                                                          bloqueia por
                                                          15 minutos, e
                                                          quando um
                                                          guest pede
                                                          acesso ao
                                                          diaplan,
                                                          simplesmente&nbsp;</font></div>
                                                          <div><font
                                                          style="font-size:12pt"
                                                          face="Arial"
                                                          size="3">dou
                                                          HangUp em
                                                          todos os
                                                          Guest.<br>
                                                          </font><br>
                                                          <br>
                                                          <pre style="line-height:17px;color:rgb(42,42,42);white-space:normal">Hudson&nbsp;
<a moz-do-not-send="true" href="tel:%28048%29%208413-7000" value="+554884137000" target="_blank">(048) 8413-7000</a>
Para quem nao cre, nenhuma prova converte,Para aquele que cre, nenhuma prova precisa.&nbsp;</pre>
                                                          <br>
                                                          <br>
                                                          <div>&gt;
                                                          From: <a
                                                          moz-do-not-send="true"
href="mailto:caiopato@gmail.com" target="_blank">caiopato@gmail.com</a><br>
                                                          &gt; Date:
                                                          Wed, 31 Jul
                                                          2013 11:47:25
                                                          -0300<br>
                                                          &gt; To: <a
                                                          moz-do-not-send="true"
href="mailto:asteriskbrasil@listas.asteriskbrasil.org" target="_blank">asteriskbrasil@listas.asteriskbrasil.org</a><br>
                                                          &gt; Subject:
                                                          [AsteriskBrasil]

                                                          Ataque massivo
                                                          a partir do IP
                                                          <a
                                                          moz-do-not-send="true"
href="tel:67.207.137.49" value="+556720713749" target="_blank">67.207.137.49</a>
                                                          <div>
                                                          <div><br>
                                                          &gt; <br>
                                                          &gt; Eu estava
                                                          sendo v&iacute;tima
                                                          de uma
                                                          tentativa de
                                                          ataque a
                                                          partir do IP<br>
                                                          &gt; <a
                                                          moz-do-not-send="true"
href="tel:67.207.137.49" value="+556720713749" target="_blank">67.207.137.49</a>
                                                          (Rackspace
                                                          Cloud
                                                          Servers),<br>
                                                          &gt; Foram
                                                          3548
                                                          tentativas em
                                                          10 minutos at&eacute;
                                                          ser bloqueado
                                                          manualmente no
                                                          iptables.<br>
                                                          &gt; N&atilde;o
                                                          investiguei a
                                                          fundo o m&eacute;todo
                                                          do ataque, mas
                                                          basicamente
                                                          ele estava<br>
                                                          &gt; tentando
                                                          cavar uma
                                                          falha no
                                                          dialplan.<br>
                                                          &gt; <br>
                                                          &gt; No
                                                          console
                                                          apareceu:<br>
                                                          &gt; Jul 31
                                                          09:53:58
                                                          WARNING[18816]:
                                                          chan_sip.c:6903

                                                          get_destination:
                                                          Huh?<br>
                                                          &gt; Not a SIP
                                                          header
                                                          (tel:1900442075005000)?<br>
                                                          &gt; ...<br>
                                                          &gt; Jul 31
                                                          10:04:37
                                                          WARNING[18816]:
                                                          chan_sip.c:6903

                                                          get_destination:
                                                          Huh?<br>
                                                          &gt; Not a SIP
                                                          header
                                                          (tel:2440900442075005000)?<br>
                                                          &gt; <br>
                                                          &gt; Note que
                                                          o atacando
                                                          manteve o
                                                          sufixo e
                                                          alterava s&oacute; o
                                                          prefixo (19,
                                                          29,<br>
                                                          &gt; 39, ....
                                                          at&eacute; chegar no
                                                          24409 quando
                                                          eu bloqueei
                                                          via iptables.<br>
                                                          &gt; <br>
                                                          &gt; Esse tipo
                                                          de ataque N&Atilde;O
                                                          &Eacute; identificado
                                                          pelo fail2ban
                                                          pois n&atilde;o h&aacute;
                                                          logs gerados.<br>
                                                          &gt; <br>
                                                          &gt; O
                                                          telefone
                                                          00442075005000
                                                          pertence a um
                                                          banco (Citi)
                                                          em Londres.
                                                          Pode<br>
                                                          &gt; ser
                                                          apenas um
                                                          n&uacute;mero teste -
                                                          se o atacante
                                                          receber
                                                          "CONNECT", a<br>
                                                          &gt; tentativa
                                                          foi bem
                                                          sucedida e ele
                                                          descarrega um
                                                          caminh&atilde;o de
                                                          chamadas<br>
                                                          &gt; para
                                                          outros
                                                          destinos.<br>
                                                          &gt; <br>
                                                          &gt; Ent&atilde;o
                                                          vale o eterno
                                                          conselho:
                                                          fique de olho
                                                          - n&atilde;o confie
                                                          s&oacute; no
                                                          fail2ban.<br>
                                                          &gt;
                                                          _______________________________________________<br>
                                                          &gt; KHOMP:
                                                          completa linha
                                                          de placas
                                                          externas FXO,
                                                          FXS, GSM e E1;<br>
                                                          &gt; Media
                                                          Gateways de 1
                                                          a 64 E1s para
                                                          SIP com R2,
                                                          ISDN e SS7;<br>
                                                          &gt;
                                                          Intercomunicadores
                                                          para acesso
                                                          remoto via
                                                          rede IP.
                                                          Conhe&ccedil;a em <a
moz-do-not-send="true" href="http://www.Khomp.com" target="_blank">www.Khomp.com</a>.<br>
                                                          &gt;
                                                          _______________________________________________<br>
                                                          &gt; ALIGERA &#8211;
                                                          Fabricante
                                                          nacional de
                                                          Gateways
                                                          SIP-E1 para
                                                          R2, ISDN e
                                                          SS7.<br>
                                                          &gt; Placas de
                                                          1E1, 2E1, 4E1
                                                          e 8E1 para PCI
                                                          ou PCI
                                                          Express.<br>
                                                          &gt; Channel
                                                          Bank &#8211;
                                                          Appliance
                                                          Asterisk -
                                                          Acesse <a
                                                          moz-do-not-send="true"
href="http://www.aligera.com.br" target="_blank">www.aligera.com.br</a>.<br>
                                                          &gt;
                                                          _______________________________________________<br>
                                                          &gt; Para
                                                          remover seu
                                                          email desta
                                                          lista, basta
                                                          enviar um
                                                          email em
                                                          branco para <a
moz-do-not-send="true"
                                                          href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org"
target="_blank">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
_______________________________________________<br>
                                                          KHOMP:
                                                          completa linha
                                                          de placas
                                                          externas FXO,
                                                          FXS, GSM e E1;<br>
                                                          Media Gateways
                                                          de 1 a 64 E1s
                                                          para SIP com
                                                          R2, ISDN e
                                                          SS7;<br>
                                                          Intercomunicadores
                                                          para acesso
                                                          remoto via
                                                          rede IP.
                                                          Conhe&ccedil;a em <a
moz-do-not-send="true" href="http://www.Khomp.com" target="_blank">www.Khomp.com</a>.<br>
_______________________________________________<br>
                                                          ALIGERA &#8211;
                                                          Fabricante
                                                          nacional de
                                                          Gateways
                                                          SIP-E1 para
                                                          R2, ISDN e
                                                          SS7.<br>
                                                          Placas de 1E1,
                                                          2E1, 4E1 e 8E1
                                                          para PCI ou
                                                          PCI Express.<br>
                                                          Channel Bank &#8211;
                                                          Appliance
                                                          Asterisk -
                                                          Acesse <a
                                                          moz-do-not-send="true"
href="http://www.aligera.com.br" target="_blank">www.aligera.com.br</a>.<br>
_______________________________________________<br>
                                                          Para remover
                                                          seu email
                                                          desta lista,
                                                          basta enviar
                                                          um email em
                                                          branco para <a
moz-do-not-send="true"
                                                          href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org"
target="_blank">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a><br>
                                                        </blockquote>
                                                      </div>
                                                    </div>
                                                  </div>
                                                  <br>
                                                </div>
                                                <br>
_______________________________________________<br>
                                                KHOMP: completa linha de
                                                placas externas FXO,
                                                FXS, GSM e E1;<br>
                                                Media Gateways de 1 a 64
                                                E1s para SIP com R2,
                                                ISDN e SS7;<br>
                                                Intercomunicadores para
                                                acesso remoto via rede
                                                IP. Conhe&ccedil;a em <a
                                                  moz-do-not-send="true"
href="http://www.Khomp.com" target="_blank">www.Khomp.com</a>.<br>
_______________________________________________<br>
                                                ALIGERA &#8211; Fabricante
                                                nacional de Gateways
                                                SIP-E1 para R2, ISDN e
                                                SS7.<br>
                                                Placas de 1E1, 2E1, 4E1
                                                e 8E1 para PCI ou PCI
                                                Express.<br>
                                                Channel Bank &#8211; Appliance
                                                Asterisk - Acesse <a
                                                  moz-do-not-send="true"
href="http://www.aligera.com.br" target="_blank">www.aligera.com.br</a>.<br>
_______________________________________________<br>
                                                Para remover seu email
                                                desta lista, basta
                                                enviar um email em
                                                branco para <a
                                                  moz-do-not-send="true"
href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org"
                                                  target="_blank">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a><br>
                                              </blockquote>
                                            </div>
                                          </div>
                                        </div>
                                        <span><font color="#888888"> <br>
                                            <br clear="all">
                                            <div><br>
                                            </div>
                                            -- <br>
                                            Thiago Anselmo </font></span></div>
                                      <br>
_______________________________________________<br>
                                      KHOMP: completa linha de placas
                                      externas FXO, FXS, GSM e E1;<br>
                                      Media Gateways de 1 a 64 E1s para
                                      SIP com R2, ISDN e SS7;<br>
                                      Intercomunicadores para acesso
                                      remoto via rede IP. Conhe&ccedil;a em <a
                                        moz-do-not-send="true"
                                        href="http://www.Khomp.com"
                                        target="_blank">www.Khomp.com</a>.<br>
_______________________________________________<br>
                                      ALIGERA &#8211; Fabricante nacional de
                                      Gateways SIP-E1 para R2, ISDN e
                                      SS7.<br>
                                      Placas de 1E1, 2E1, 4E1 e 8E1 para
                                      PCI ou PCI Express.<br>
                                      Channel Bank &#8211; Appliance Asterisk
                                      - Acesse <a
                                        moz-do-not-send="true"
                                        href="http://www.aligera.com.br"
                                        target="_blank">www.aligera.com.br</a>.<br>
_______________________________________________<br>
                                      Para remover seu email desta
                                      lista, basta enviar um email em
                                      branco para <a
                                        moz-do-not-send="true"
                                        href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org"
                                        target="_blank">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a><br>
                                    </blockquote>
                                  </div>
                                  <br>
                                  <br clear="all">
                                  <div><br>
                                  </div>
                                  -- <br>
                                  <div dir="ltr"><b><font
                                        color="#0000ff">att</font></b>
                                    <div><b><font color="#0000ff">Danilo
                                          Almeida</font></b></div>
                                  </div>
                                </div>
                              </div>
                              <br>
                              <fieldset></fieldset>
                              <br>
                              <pre>_______________________________________________
KHOMP: completa linha de placas externas FXO, FXS, GSM e E1;
Media Gateways de 1 a 64 E1s para SIP com R2, ISDN e SS7;
Intercomunicadores para acesso remoto via rede IP. Conhe&ccedil;a em <a moz-do-not-send="true" href="http://www.Khomp.com" target="_blank">www.Khomp.com</a>.
_______________________________________________
ALIGERA &#8211; Fabricante nacional de Gateways SIP-E1 para R2, ISDN e SS7.
Placas de 1E1, 2E1, 4E1 e 8E1 para PCI ou PCI Express.
Channel Bank &#8211; Appliance Asterisk - Acesse <a moz-do-not-send="true" href="http://www.aligera.com.br" target="_blank">www.aligera.com.br</a>.
_______________________________________________
Para remover seu email desta lista, basta enviar um email em branco para <a moz-do-not-send="true" href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org" target="_blank">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a></pre>
                            </blockquote>
                            <br>
                          </div>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      KHOMP: completa linha de placas externas FXO, FXS,
                      GSM e E1;<br>
                      Media Gateways de 1 a 64 E1s para SIP com R2, ISDN
                      e SS7;<br>
                      Intercomunicadores para acesso remoto via rede IP.
                      Conhe&ccedil;a em <a moz-do-not-send="true"
                        href="http://www.Khomp.com" target="_blank">www.Khomp.com</a>.<br>
                      _______________________________________________<br>
                      ALIGERA &#8211; Fabricante nacional de Gateways SIP-E1
                      para R2, ISDN e SS7.<br>
                      Placas de 1E1, 2E1, 4E1 e 8E1 para PCI ou PCI
                      Express.<br>
                      Channel Bank &#8211; Appliance Asterisk - Acesse <a
                        moz-do-not-send="true"
                        href="http://www.aligera.com.br" target="_blank">www.aligera.com.br</a>.<br>
                      _______________________________________________<br>
                      Para remover seu email desta lista, basta enviar
                      um email em branco para <a moz-do-not-send="true"
href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org"
                        target="_blank">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a><br>
                    </blockquote>
                  </div>
                </div>
              </div>
              <span class="HOEnZb"><font color="#888888">
                  <br>
                  <br clear="all">
                  <div><br>
                  </div>
                  -- <br>
                  <div dir="ltr"><b style=""><font color="#0000ff">att</font></b>
                    <div><b style=""><font color="#0000ff">Danilo
                          Almeida</font></b></div>
                  </div>
                </font></span></div>
            <br>
            _______________________________________________<br>
            KHOMP: completa linha de placas externas FXO, FXS, GSM e E1;<br>
            Media Gateways de 1 a 64 E1s para SIP com R2, ISDN e SS7;<br>
            Intercomunicadores para acesso remoto via rede IP. Conhe&ccedil;a
            em <a moz-do-not-send="true" href="http://www.Khomp.com"
              target="_blank">www.Khomp.com</a>.<br>
            _______________________________________________<br>
            ALIGERA &#8211; Fabricante nacional de Gateways SIP-E1 para R2,
            ISDN e SS7.<br>
            Placas de 1E1, 2E1, 4E1 e 8E1 para PCI ou PCI Express.<br>
            Channel Bank &#8211; Appliance Asterisk - Acesse <a
              moz-do-not-send="true" href="http://www.aligera.com.br"
              target="_blank">www.aligera.com.br</a>.<br>
            _______________________________________________<br>
            Para remover seu email desta lista, basta enviar um email em
            branco para <a moz-do-not-send="true"
              href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a><br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
KHOMP: completa linha de placas externas FXO, FXS, GSM e E1;
Media Gateways de 1 a 64 E1s para SIP com R2, ISDN e SS7;
Intercomunicadores para acesso remoto via rede IP. Conhe&ccedil;a em <a class="moz-txt-link-abbreviated" href="http://www.Khomp.com">www.Khomp.com</a>.
_______________________________________________
ALIGERA &#8211; Fabricante nacional de Gateways SIP-E1 para R2, ISDN e SS7.
Placas de 1E1, 2E1, 4E1 e 8E1 para PCI ou PCI Express.
Channel Bank &#8211; Appliance Asterisk - Acesse <a class="moz-txt-link-abbreviated" href="http://www.aligera.com.br">www.aligera.com.br</a>.
_______________________________________________
Para remover seu email desta lista, basta enviar um email em branco para <a class="moz-txt-link-abbreviated" href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a></pre>
    </blockquote>
    <br>
  </body>
</html>