[asterisk-bugs] [JIRA] Commented: (ASTERISK-20506) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address

Matt Jordan (JIRA) noreply at issues.asterisk.org
Thu Oct 4 09:55:27 CDT 2012 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-20506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=197950#comment-197950 ] 

Matt Jordan commented on ASTERISK-20506:
----------------------------------------

This got fixed in 10+ by virtue of the security event framework, which is the appropriate mechanism for reporting security related information to external entities.  Since that was a new feature in 10+, it wasn't a candidate for backporting.  Part of the issue here is that the only mechanism available in 1.8 are Asterisk log messages, which are not standardized for consumption by external applications.  For example, if we change the log format message for any message that someone may potentially use in an external application, we have now broken their integration.  We have to be very, very cautious about any patch that gets applied in these situations.

The security event framework - and its module that logs such events to a log file - has a standard format.  So it doesn't have this limitation.

For Asterisk 1.8, I'm certainly open to any solution that solves this problem, while addressing people concerns regarding how much it claims to solve and/or addressing all aspects of peoples issues with the approach, and that does so in a fashion that won't break existing implementations of Asterisk 1.8.

As an aside, something being an LTS does not mean that it gets the new features developed for later versions - in fact, if anything, the opposite is true.  The fact that this was readily solved in 10+ is because of new features developed for those versions.  Backporting those new features to 1.8 would not only violate the feature policy for Asterisk, but would be highly intrusive and inject significant risk.  I don't think that's the appropriate way to handle this.

> With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address
> ------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20506
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20506
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.15.1
>         Environment: CentOS release 5.8 (Final), Kernel 2.6.18-308.8.2.el5.028stab101.1, 32-bit, running on an OpenVZ VPS.
>            Reporter: MBH
>
> My Asterisk box is being brute forced and I'm getting messages in the logs referencing my box's IP instead of the attacker's:
> [2012-10-03 03:49:45] NOTICE[28161]: chan_sip.c:22723 handle_request_invite: Sending fake auth rejection for device 5550000<sip:5550000 at AsteriskIP>;tag=396cbe1b
> The notice message is not logging the attacker IP at all, thus cannot be blocked using fail2ban.
> The same is mentioned here: http://lists.digium.com/pipermail/asterisk-users/2011-March/260377.html and here http://forums.digium.com/viewtopic.php?t=78988
> I'm using type=peer, alwaysauthreject=yes, allowguest=no

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list