Found out today that an external host had been scanning my Asterisk server looking for valid SIP extensions. Turned out the IP belonged to some German hacking site that was probably using some brute force tools to scan my server (and lots of others) for valid SIP extensions. The ultimate goal was more than likely to try and exploit any live extensions for some free phone calls.
Fortunately, in anticipation of moving my in-house Asterisk server out to the cloud I had recently done some work to become better educated on Asterisk security and to shore up the security of the CentOS machine my Asterisk instance is running on. As a result, my intrusion detection system slammed the door to the external scans pretty quick, and I’ve since added the IP address to my iptables rule set to to drop any requests from the IP used for the scan.
It was a little unnerving to find out that my box was getting scanned, but I’m glad I took the time recently to get things working more securely. This incident reminds me that one can never be too careful about security, and that there is always more to learn about running Asterisk more securely. To underscore this last point, here are some great links I’ve come across lately for Asterisk and Linux security:
- Weak Passwords on Extensions Equals Hacked Box
- John Todd’s Security List
- Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security
Some general Linux security reading: