No subject

The pcap capture is indeed for a single session, but that was out of the norm. I usually get 10-20 scans a day, though.

By the way, the user Thor in the Digium forums did mention that attacks will move to other aspects of SIP from INV & REG, and that was in July 2011: http://forums.digium.com/viewtopic.php?t=78988#p160425 and a sample code was already posted, and it's odd that no one considered other SIP functions. The bug report that this is considered a duplicate of was in Feb & it was submitted to the trunk, so I'm guessing Thor should've reported it as a bug here instead of ranting in forums.

> With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address
> ------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20506
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20506
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.15.1
>         Environment: CentOS release 5.8 (Final), Kernel 2.6.18-308.8.2.el5.028stab101.1, 32-bit, running on an OpenVZ VPS.
>            Reporter: MBH
>         Attachments: sipdump.pcap
>
>
> My Asterisk box is being brute forced and I'm getting messages in the logs referencing my box's IP instead of the attacker's:
> [2012-10-03 03:49:45] NOTICE[28161]: chan_sip.c:22723 handle_request_invite: Sending fake auth rejection for device 5550000<sip:5550000 at AsteriskIP>;tag=396cbe1b
> The notice message is not logging the attacker IP at all, thus cannot be blocked using fail2ban.
> The same is mentioned here: http://lists.digium.com/pipermail/asterisk-users/2011-March/260377.html and here http://forums.digium.com/viewtopic.php?t=78988
> I'm using type=peer, alwaysauthreject=yes, allowguest=no

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira