Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

And the scanning just keeps on coming


A Chinese based server has been very active latest days, and googling the IP addresses ( 113.105.152.102 and 113.105.152.104 ) tells me they have been scanning a long time.

One guy with an Asterisk got hit December 2009 and others back in November. Others starts debugging and asks what it is in public support forums. There will be even more of this scanning coming next months!

Some has added firewall rules like:

deny 113.105.152.102/255.255.255.255
deny 66.117.50.225/255.255.255.255
deny 204.57.122.6/255.255.255.255

But this will not last long until some new IP addresses show up.

What to do about it?

Secure your IP PBX and don’t let port 5060 be open for everybody.
If you must, have very long and strong passwords on all extensions. (or use port knocking..)
Make sure that callers into your PBX is not allowed onto any Outbond context making you pay their calls…

One response to “And the scanning just keeps on coming

  1. Koos van den Hout February 23, 2010 at 7:18 pm

    I see the same on an asterisk which is reachable from the big bad Internet (but which is incapable of dialing out over phone networks which cost actual money). My last scan (21 February) was from 96.57.107.3 which is in Tappan, NY, USA.

    Other stuff I see in the logs are attempts to call numbers from the SIP guest context (without registration). So far the +44 country code (UK) is always visible in those attempts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: