[asterisk-bugs] [JIRA] Commented: (ASTERISK-20506) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address

Michael L. Young (JIRA) noreply at issues.asterisk.org
Wed Oct 3 11:32:27 CDT 2012 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-20506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=197898#comment-197898 ] 

Michael L. Young commented on ASTERISK-20506:
---------------------------------------------

There have been some discussions, if I recall properly, on other ways you can protect yourself.  Something that I remember researching some time back and finding was that you could use IPtables to throttle the attack using "-m recent".  For instance, you can limit the bursts to help mitigate any DDoS.  Then when an attack from an IP hits their limit of say 20 hits within 30 seconds, you drop the packet.  You can "-j LOG" the dropped packet and have fail2ban take action to ban the IP based on the system log.

There are other ways to protect your self that doesn't require the Asterisk log to contain the IP address.  Using the above suggestion along with the Asterisk log file can be very effective.  Granted, it is much easier if you only had to check one place.

> With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address
> ------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20506
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20506
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.15.1
>         Environment: CentOS release 5.8 (Final), Kernel 2.6.18-308.8.2.el5.028stab101.1, 32-bit, running on an OpenVZ VPS.
>            Reporter: MBH
>
> My Asterisk box is being brute forced and I'm getting messages in the logs referencing my box's IP instead of the attacker's:
> [2012-10-03 03:49:45] NOTICE[28161]: chan_sip.c:22723 handle_request_invite: Sending fake auth rejection for device 5550000<sip:5550000 at AsteriskIP>;tag=396cbe1b
> The notice message is not logging the attacker IP at all, thus cannot be blocked using fail2ban.
> The same is mentioned here: http://lists.digium.com/pipermail/asterisk-users/2011-March/260377.html and here http://forums.digium.com/viewtopic.php?t=78988
> I'm using type=peer, alwaysauthreject=yes, allowguest=no

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list