29 апр. 2011 г.

Ну вот и первый хак

Меня можно поздравить, я вживую повстречался с хакерской атакой, направленной на подбор логина и пароля к моему телефонному серверу freeSwitch. Вот как это выглядит:



За 10 часов атаки суммарно получается 670Мб входящего траффика и 1 Гб исходящего.

Смотрим логи:
/usr/local/freeswitch/log # ll freeswitch.log.*
-rw----r-- 1 root root 815562 Apr 2 03:07 freeswitch.log.2011-04-02-03-07-07.1
-rw----r-- 1 root root 190 Apr 2 03:07 freeswitch.log.2011-04-02-03-07-07.2
-rw----r-- 1 root root 10485904 Apr 29 15:13 freeswitch.log.2011-04-29-15-13-18.1
-rw----r-- 1 root root 10485899 Apr 29 15:44 freeswitch.log.2011-04-29-15-44-41.1
-rw----r-- 1 root root 10485899 Apr 29 16:12 freeswitch.log.2011-04-29-16-12-55.1
-rw----r-- 1 root root 10485899 Apr 29 16:33 freeswitch.log.2011-04-29-16-33-08.1
-rw----r-- 1 root root 10485899 Apr 29 16:53 freeswitch.log.2011-04-29-16-53-30.1
-rw----r-- 1 root root 10485899 Apr 29 17:16 freeswitch.log.2011-04-29-17-16-00.1
-rw----r-- 1 root root 10485835 Apr 29 17:39 freeswitch.log.2011-04-29-17-39-05.1
-rw----r-- 1 root root 10485835 Apr 29 18:00 freeswitch.log.2011-04-29-18-00-45.1
-rw----r-- 1 root root 10485899 Apr 29 18:21 freeswitch.log.2011-04-29-18-21-57.1
-rw----r-- 1 root root 10485899 Apr 29 18:42 freeswitch.log.2011-04-29-18-42-27.1
-rw----r-- 1 root root 10485899 Apr 29 19:03 freeswitch.log.2011-04-29-19-03-20.1
-rw----r-- 1 root root 10485899 Apr 29 19:23 freeswitch.log.2011-04-29-19-23-07.1
-rw----r-- 1 root root 10485899 Apr 29 19:41 freeswitch.log.2011-04-29-19-41-55.1
-rw----r-- 1 root root 10485899 Apr 29 20:01 freeswitch.log.2011-04-29-20-01-10.1
-rw----r-- 1 root root 10485899 Apr 29 20:19 freeswitch.log.2011-04-29-20-19-27.1
-rw----r-- 1 root root 10485899 Apr 29 20:37 freeswitch.log.2011-04-29-20-37-57.1
-rw----r-- 1 root root 10485899 Apr 29 20:57 freeswitch.log.2011-04-29-20-57-18.1
-rw----r-- 1 root root 10485899 Apr 29 21:21 freeswitch.log.2011-04-29-21-21-10.1
-rw----r-- 1 root root 10485899 Apr 29 21:39 freeswitch.log.2011-04-29-21-39-17.1
-rw----r-- 1 root root 6906631 Apr 29 22:58 freeswitch.log.2011-04-29-22-58-56.1
-rw----r-- 1 root root 71 Apr 29 22:58 freeswitch.log.2011-04-29-22-58-56.2
/usr/local/freeswitch/log #


Вот как началась атака:
2011-04-29 06:41:38.351078 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [1610258589@myserverip] from ip 66.199.232.98
2011-04-29 06:46:09.164120 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [3623987258@myserverip] from ip 66.199.232.98
2011-04-29 14:39:42.604125 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [2917801763@myserverip] from ip 91.220.62.140
2011-04-29 14:39:42.616121 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [1882527475@myserverip] from ip 91.220.62.140
2011-04-29 14:39:43.139079 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [china@myserverip] from ip 91.220.62.140
2011-04-29 14:39:43.159069 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [koreea@myserverip] from ip 91.220.62.140
2011-04-29 14:39:43.170114 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [korea@myserverip] from ip 91.220.62.140
2011-04-29 14:39:43.179114 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [japan@myserverip] from ip 91.220.62.140
2011-04-29 14:39:43.343117 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [taiwan@myserverip] from ip 91.220.62.140
2011-04-29 14:39:43.350107 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [000000@myserverip] from ip 91.220.62.140
2011-04-29 14:39:43.363118 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [00000000@myserverip] from ip 91.220.62.140


и дальше пошел перебор всех возможных цифровых и буквенных номеров SIP телефонов. На момент обнаружения мной этой атаки хакеры перебрали 1,3 млн. комбинаций!

Пришлось в срочном порядке добавлять правило в iptables:

iptables -I INPUT -s 91.220.62.140 -j DROP

Это спасло.

Похоже, это DOS атака. Детали атаки такие (здесь IP адрес моего сервера замнен на myserverip на всякий случай):

FreeSWITCH получает пакет:
REGISTER sip:myserverip SIP/2.0
Via: SIP/2.0/UDP 91.220.62.36:5137;branch=z9hG4bK-1132046786;rport
Content-Length: 0
From: "5988"

Accept: application/sdp
User-Agent: friendly-scanner
To: "5988"

Contact: sip:123@1.1.1.1
CSeq: 1 REGISTER
Call-ID: 1008625951
Max-Forwards: 70


FreeSWITCH ругается:


2011-04-30 01:28:44.511139 [WARNING] sofia_reg.c:1246 SIP auth challenge (REGISTER) on sofia profile 'internal' for [5988@myserverip] from ip 91.220.62.140



FreeSWITCH отправляет ответ на хакерский сайт:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 91.220.62.36:5137;branch=z9hG4bK-1132046786;rport=5137;received=91.220.62.140
From: "5988"
To: "5988" ;tag=g0BXD9pv6mjBe
Call-ID: 1008625951
CSeq: 1 REGISTER
User-Agent: FreeSWITCH-mod_sofia/1.0.head-git-e52e44e 2011-03-31 13-44-24 -0500
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, UPDATE, INFO, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
Supported: timer, precondition, path, replaces
WWW-Authenticate: Digest realm="myserverip", nonce="a9360d6c-72a7-11e0-b622-f7c8239c6915", algorithm=MD5, qop="auth"
Content-Length: 0

Нашел замечательную утилиту fail2ban, чтобы в будущем рубить хакеров на корню.

Настройка простая:
zypper in fail2ban

Создаем файл /etc/fail2ban/filter.d/freeswitch.conf
# Fail2Ban configuration file
[Definition]
failregex = .* SIP auth challenge .* from ip
<HOST>
ignoreregex =

Дописываем вот этот кусок в конец файла /etc/fail2ban/jail.conf
[freeswitch]
enabled = true
port = 5060,5061,5080,5081
protocol = udp
filter = freeswitch
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch, protocol=all]
maxretry = 3
findtime = 600
bantime = 18000

Запускаем
/etc/init.d/fail2ban restart

И наслаждаемся результатом:
Сюда будут добавляться заблокированные хосты:

/usr/local/freeswitch/conf # iptables -L fail2ban-freeswitch
Chain fail2ban-freeswitch (1 references)
target prot opt source destination
DROP all -- 91.220.62.140 anywhere
RETURN all -- anywhere anywhere

/usr/local/freeswitch/conf # cat /var/log/fail2ban.log
2011-04-30 02:27:19,580 fail2ban.filter : DEBUG Found 91.220.62.140
2011-04-30 02:27:19,581 fail2ban.filter : DEBUG Found 91.220.62.140
2011-04-30 02:27:19,581 fail2ban.filter.datedetector: DEBUG Sorting the template list
2011-04-30 02:27:19,583 fail2ban.actions.action: DEBUG iptables -N fail2ban-freeswitch
iptables -A fail2ban-freeswitch -j RETURN
iptables -I INPUT -p all -j fail2ban-freeswitch returned successfully
2011-04-30 02:27:19,583 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-freeswitch
2011-04-30 02:27:19,587 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-freeswitch returned successfully
2011-04-30 02:27:19,587 fail2ban.actions.action: DEBUG iptables -I fail2ban-freeswitch 1 -s 91.220.62.140 -j DROP
2011-04-30 02:27:19,590 fail2ban.actions.action: DEBUG iptables -I fail2ban-freeswitch 1 -s 91.220.62.140 -j DROP returned successfully
2011-04-30 02:27:19,590 fail2ban.actions: WARNING [freeswitch] 91.220.62.140 already banned

Ура :)

Комментариев нет:

Отправить комментарий