SIP Brute Force Attacks on the Increase

On our own Asterisk PBX server for our office and on some customer boxes with open SIP ports, we have seen a dramatic rise in brute force SIP attacks.

They all follow a very common pattern – just over 41,000 login attempts on common extensions such as 200, 201, 202, etc. We were even asked to provide some consultancy about two weeks ago for a company using an Asterisk PBX who saw strange (irregular) calls to African countries.

They were one example of such a brute force attack succeeding because of a common mistake:

  1. an open SIP port with:
  2. common extensions with:
  3. a bad password.

(1) is often unavoidable. (2) can be mitigated by not using the predictable three of four digit extension as the username. (3) is inexcusable. We’ve even seen entries such as extension 201, username 201, password 201. The password should always be a random string mixing alphanumeric characters. A good recipe for generating these passwords is to use openssl as follows:

openssl rand -base64 12

Users should never be allowed to choose their own and dictionary words should not be chosen. The brute force attack tried >41k common passwords.

Preventing or Mitigating These Attacks

You can mitigate against these attacks by putting external SIP users into dedicated contexts which limit the kinds of calls they can make (internal only, local and national, etc); ask for a PIN for international calls; limit time and cost; etc.

However, the above might be a lot of work when simply blocking users after a number of failed attempts can be much easier and more effective. Fail2ban is a tool which can scan log files like /var/log/asterisk/full and firewall IP addresses that makes too many failed authentication attempts.

See VoIP-Info.org for generic instructions or below for a quick recipe to get it running on Debian Lenny.

Quick Install for Fail2ban with Asterisk SIP on Debian Lenny

  1. apt-get install fail2ban
  2. Create a file called /etc/fail2ban/filter.d/asterisk.conf with the following (thanks to this page):
  3. Put the following in /etc/fail2ban/jail.local:
  4. Edit /etc/asterisk/logger.conf such that the date format under [general]reads: 
    dateformat=%F %T
  5. Also in /etc/asterisk/logger.conf, ensure full logging is enable with a line such as the following under [logfiles]: 
    full => notice,warning,error,debug,verbose
  6. Resart / reload Asterisk
  7. Start Fail2ban: /etc/init.d/fail2ban startand check:
    • Fail2ban’s log at /etc/log/fail2ban.logfor: 
      INFO   Jail 'asterisk-iptables' started
    • The output of iptables --list -vfor something like: 
      Chain fail2ban-ASTERISK (1 references)
 pkts bytes target     prot opt in     out     source               destination
  227 28683 RETURN     all  --  any    any     anywhere             anywhere

You should now receive emails (assuming you replaced the example addresses above with your own and your MTA is correctly configured) when Fail2ban starts or stops and when a host is blocked.

Go That Way, Really Fast

In the vein of Release Early, Release Often, Jeff Atwood, CTO of StackOverflow.com, has posted an interesting article on the topic and on the huge amount of work they have gotten done in five months and their fears that they’re still not moving fast enough.

We’re going to go that way, really fast. And if something gets in our way, we’ll turn.


Link: MySQL Best Practices

I came across this site today which has some good advice for MySQL. I’m particularly happy to see that Doctrine, a relatively new ORM for PHP which we’re big fans of, is gaining some traction.

I came across this site today which has some good advice for MySQL. I’m particularly happy to see that Doctrine, a relatively new ORM for PHP which we’re big fans of, is gaining some traction.

I also noticed that Piwik, an open source analytics package, are using some interesting quality assurance tools which may be of interest to PHP developers (along with a continuous integration tool I came across recently: phpUnderControl).

Continuous Integration for PHP

I stumbled upon phpUnderControl today by chance and it looks like a very interesting project which integrates:

I hope to take a closer look at it in the near future for a new project we’re lining up at work (want to help us?).

Speaking of continuous integration, for another project we installed and look after a Hudson server for a customer who is developing a Java and Cocoa application – if you’re looking for a CI tool for a Java (or other) development project, this is definitely worth a look (easy installation, nice and intuitive interface and well featured).

HTTP Streaming with Encryption under Linux

For a customer of ours, we need to mass encode thousands of video files and also segment and encrypt them for use with Apple’s HTTP Streaming.

For a customer of ours, we need to mass encode thousands of video files and also segment and encrypt them for use with Apple’s HTTP Streaming. (using Amazon EC2 instances for the leg work).

On his blog, Carson McDonald, has put together a good over view of how HTTP Streaming can work under Linux a long with a segmenter.

The one piece of the jigsaw we were missing was encryption and after some work ourselves and with the help of a stackoverflow question, we have a working sequence of commands to successfully and compatibly encrypt segments for playback on Safari and other supported HTTP streaming clients:

  1. Create a key file: 
    openssl rand 16 > static.key
  2. Convert the key into hex: 
    key_as_hex=$(cat static.key | hexdump -e '16/1 "%02x"')
  3. At this point, let’s assume we have segmented a file of 30 seconds called video_low.ts into ten 3 second segments called video_low_X.ts where X is an integer from 1 to 10. We can then encrypt these as follows: 
    for i in {0..9}; do
    init_vector=`printf '%032x' $i`
    openssl aes-128-cbc -e -in video_low_$(($i+1)).ts     
        -out video_low_enc_$(($i+1)).ts -p -nosalt        
        -iv $init_vector -K $key_as_hex
done

With a matching m3u8 file such as the following, the above worked fine:

#EXTM3U
#EXT-X-TARGETDURATION:3
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:3,
#EXT-X-KEY:METHOD=AES-128,URI="http://www.example.com/static.key"
http://www.example.com/video_low_enc_1.ts
#EXTINF:3,
http://www.example.com/video_low_enc_2.ts
...
#EXT-X-ENDLIST

What caught us out was the initialisation vector with is described in the draft IETF document as follows:

128-bit AES requires the same 16-octet Initialization Vector (IV) to
be supplied when encrypting and decrypting. Varying this IV
increases the strength of the cipher.

If the EXT-X-KEY tag has the IV attribute, implementations MUST
use the attribute value as the IV when encrypting or decrypting
with that key. The value MUST be interpreted as a 128-bit
hexadecimal number and MUST be prefixed with 0x or 0X.

If the EXT-X-KEY tag does not have the IV attribute,
implementations MUST use the sequence number of the media
file as the IV when encrypting or decrypting that media file.
The big-endian binary representation of the sequence number
SHALL be placed in a 16-octet buffer and padded (on the left)
with zeros.

Open Solutions is Hiring

We’ve just announced that we are looking for someone new to join our team over at Open Solutions.

UPDATE: Official Announcement

We’ve just announced that we are looking for someone new to join our team over at Open Solutions.

We’ll be making a more official announcement later next week but I’m heading away for a few days and wanted to get something out there.

Encoding Video for the HTC Desire

A useful script to encode all files passed as parameters(s) for viewing on a HTC Desire.

While I’m writing about video encoding, another task I did recently was encode a load of video files for my HTC Desire (a handset I’d strongly recommend for anyone). The main reason being that I like to watch something while pounding the threadmill in the gym.

A useful script to encode all files passed as parameters(s) (must all end in .avi) is:

#! /bin/bash

src="$*"
dst="_${*%%avi}mp4"

echo -en "Encoding $src\t\t\tPASS1"

ffmpeg -b 600kb -i "$src" -v 0 -pass 1 -passlogfile FF -vb 600Kb \
    -r 25 -an -threads 2 -y "$dst" /dev/null

echo -e "\tPASS2"

ffmpeg -b 600kb -i "$src" -v 0 -pass 2 -passlogfile FF -vb 600Kb \
    -r 25 -threads 2 -y -vol 1536 "$dst" /dev/null

rm FF-0.log

Encoding Full HD as FLV (for Gallery3)

I have a full HD camcorder and I wanted to stick some good quality video on my gallery for relatives to view. So, I needed to convert my sample 100MB MP4 full HD file to a suitably sized FLV for the Gallery. Here’s what I did…

I have a very nice Samsung R10 Full HD Camcorder which I bought last year. After a recent family holiday, I wanted to stick some good quality video on my gallery for relatives to view. The gallery is RC2 of the excellent Gallery 3 package which uses another excellent open source tool called Flow Player to play movies.

So, I needed to convert my test 100MB MP4 full HD file to a suitably sized FLV for the Gallery. My initial attempts with ffmpeg worked fine but the quality (sample) was very poor and changing the bit rate in different ways seemed to make no difference:

ffmpeg -i HDV_0056.MP4 -vb 600k -s vga -ar 22050 -y Test.flv
ffmpeg -i HDV_0056.MP4 -b 600k -s vga -ar 22050 -y Test.flv
ffmpeg -i HDV_0056.MP4 -vb 600k -s vga -ar 22050 -y Test.flv

I then turned to x264 and broke the process down to a number of stages:

  1. Extract the raw video to YUV4MPEG (this creates a 7GB file from my 100MB MP4): 
    ffmpeg -i HDV_0056.MP4 HDV_0056.y4m
  2. Encode the video component to H.264/FLV at the specified bit rate with good quality: 
    x264 --pass 1 --preset veryslow --threads 0 --bitrate 4000 \
        -o HDV_0056.flv HDV_0056.y4m
x264 --pass 2 --preset veryslow --threads 0 --bitrate 4000 \
        -o HDV_0056.flv HDV_0056.y4m

    Note that I’m using the veryslow preset which is… very slow! You can use other presets as explained in the x264 man page.

  3. Extract and convert the audio component to MP3 (the sample rate is important): 
    ffmpeg -i HDV_0056.MP4 -vn -ar 22050 HDV_0056.mp3
  4. Merge the converted audio and video back together: 
    ffmpeg -i HDV_0056.flv -i HDV_0056.mp3 -acodec copy \
        -vcodec copy -y FullSizeVideo.flv

    This yields a near perfect encoding at 22MB. It’s still full size though (HD at 1920×1080).

  5. The last step is to then use ffmpeg to resize the video and it now seems to respect bit rate parameters: 
    ffmpeg -i FullSizeVideo.flv -s vga -b 2000k \
        -vb 2000k SmallSizeVideo.flv

The resultant video can be seen here.

Robert Swain has a useful guide for ffmpeg x264 encoding.

Emily @ Glenroe Open Farm

image

image

image

From their own site:

Glenroe Farm is one of Wicklow’s top tourist attractions. The farm is ideally located beside the picturesque North Wicklow coastline and less than an hour from Dublin City just off the N11.The farm is both educational and fun and here you can get up close to a wide variety of farm animals and pets, enjoy the great outdoors, relax in the peace and tranquillity of our Nature walk, have fun in the large outdoor playground overlooking the farm, try our home cooking from the Coffee Shop or bring your own picnic.

Installing FreeBSD on Soekris net4801-48

Nick introduced me to Soekris a few weeks ago and some neat little boxes they make. For a current project, the net4801 fit the bill perfectly, especially with the add in vpn1411 which off loads the intensive computational operations for encryption and compression.

I plan some future posts looking at the throughput performance of OpenVPN with and without the vpn1411 as well as general traffic throughput measurements. This post however will focus on installing FreeBSD on this device as easily as possible.

Firstly, I ordered the following:

Including P&P, this all came to €369.48.

While there is a lot of documentation online and a number of methods available to install FreeBSD on a Soekris box, I found that the easiest way to to do it was as if I were installing on the local machine and hence I could just install it as normal. For this, we turn to VirtualBox1.

  1. Install VirtualBox if you don’t have it.
  2. Attach the CF card to your computer via the USB card reader.
  3. Download a FreeBSD installation CD (e.g. 8.0-RELEASE-i386-disc1.iso.
  4. Create a new VirtualBox machine such that:
    • the ISO image is mounted;
    • you have enabled a network adapter (PCnet-PCI II in bridged mode works for me as I have a DHCP server on the LAN).
  5. Boot the new VirtualBox machine and from its built in BIOS, choose to boot from the mounted CD ROM.
  6. Immediately attach the USB card reader device to the VirtualBox machine.
  7. Choose a custom install so you can select the USB device as the destination medium (da0 for me).
  8. Proceed with your FreeBSD installation as normal.

Once it completes, there are some changes you should make before popping the CF card back into the Soekris box:

  1. In /etc/rc.conf, set up the network configuration. Note that in VirtualBox, the interfaces will be reported as le0 but when booted on the Soekris box, they’ll be sis0 through sis2. I set sis0 (marked Eth 0 on the case) to configure by DHCP. I also set a static IP on sis2 so I can access the box on a direct computer to computer connection if necessary. Lastly, I enable the SSH daemon (ensure you have created a user!): 
    ifconfig_sis0="DHCP"
ifconfig_sis2="inet 192.168.130.2 netmask 255.255.255.0 up"
sshd_enable="YES"
  2. When installing via VirtualBox, the destination device was a USB drive. On the Soekris, the CF is handled as an IDE drive. As such, change fstab to something like (as appropriate for you – I have a single root filesystem and a swap partition): 
    # Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/ad0s1b             none            swap    sw              0       0
/dev/ad0s1a             /               ufs     rw              1       1
  3. Enable a console on the serial port in /etc/ttys by editing the ttyu0 line: 
    ttyu0   "/usr/libexec/getty std.9600"   vt100   on secure
  4. Lastly, add the following lines to /boot/loader.conf: 
    comconsole_speed="9600"
console="comconsole"

Now, pop the CF card back into the Soekris box and boot with the serial console attached (19200,8,n,1). I immediately changed the Soekris console speed to 9600 so that it works seemlessly from Soekris BIOS to FreeBSD bootloader, kernel and console.

1. VirtualBox is a fantastic piece of software. I run Kubuntu natively on my laptop and I have a virtual Windows 7 Professional machine running in VirtualBox most of the time. It runs smoothly and quickly and there is a wonderful feature to allow you to attach USB devices to the virtual machine (so my iPhone can access iTunes for example).