«
»

And the scanning just keeps on coming

A Chinese based server has been very active latest days, and googling the IP addresses ( 113.105.152.102 and 113.105.152.104 ) tells me they have been scanning a long time.

One guy with an Asterisk got hit December 2009 and others back in November. Others starts debugging and asks what it is in public support forums. There will be even more of this scanning coming next months!

Some has added firewall rules like:

deny 113.105.152.102/255.255.255.255
deny 66.117.50.225/255.255.255.255
deny 204.57.122.6/255.255.255.255

But this will not last long until some new IP addresses show up.

What to do about it?

Secure your IP PBX and don’t let port 5060 be open for everybody.
If you must, have very long and strong passwords on all extensions. (or use port knocking..)
Make sure that callers into your PBX is not allowed onto any Outbond context making you pay their calls…

This entry was posted on Monday, February 22nd, 2010 at 23:00 and is filed under VoIP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “And the scanning just keeps on coming”

  1. Koos van den Hout Says:
    February 23rd, 2010 at 19:18

    I see the same on an asterisk which is reachable from the big bad Internet (but which is incapable of dialing out over phone networks which cost actual money). My last scan (21 February) was from 96.57.107.3 which is in Tappan, NY, USA.

    Other stuff I see in the logs are attempts to call numbers from the SIP guest context (without registration). So far the +44 country code (UK) is always visible in those attempts.

Leave a Reply