[asterisk-bugs] [JIRA] Commented: (ASTERISK-20506) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address

MBH (JIRA) noreply at issues.asterisk.org
Thu Oct 4 10:29:27 CDT 2012 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-20506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=197954#comment-197954 ] 

MBH commented on ASTERISK-20506:
--------------------------------

Thank you for the explanation Matt. I guess I'll move to Asterisk 10 and get over with it. I assume the log output is fail2ban-friendly, correct?

Also, I did not suggest that LTS should get new features. I was wondering on why an LTS build wasn't patched/fixed, and since you said that the security event framework is new, then it shouldn't be backported, as it's not a bug fix but an enhancement.

As for Asterisk 1.8, it was mentioned before that the IPs can be spoofed, and logging them to ban them is kind of pointless. You've suggested throttling via iptables & I mentioned that for the setups that do not need anonymous calls, they can enable them, log these specific calls and send them to a busy-tone/congested end, then use the IP to ban them.

Other than that, I honestly don't see a reliable way within asterisk 1.8 to handle such a problem. Maybe the default configs should be updated to mention this security problem and that it can be avoided with v10, or if v8 is necessary, stick to the proper security procedures (type=peer, alwaysauthreject=yes, allowguest=no), ...etc. to prevent user enumeration.

> With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address
> ------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20506
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20506
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.15.1
>         Environment: CentOS release 5.8 (Final), Kernel 2.6.18-308.8.2.el5.028stab101.1, 32-bit, running on an OpenVZ VPS.
>            Reporter: MBH
>
> My Asterisk box is being brute forced and I'm getting messages in the logs referencing my box's IP instead of the attacker's:
> [2012-10-03 03:49:45] NOTICE[28161]: chan_sip.c:22723 handle_request_invite: Sending fake auth rejection for device 5550000<sip:5550000 at AsteriskIP>;tag=396cbe1b
> The notice message is not logging the attacker IP at all, thus cannot be blocked using fail2ban.
> The same is mentioned here: http://lists.digium.com/pipermail/asterisk-users/2011-March/260377.html and here http://forums.digium.com/viewtopic.php?t=78988
> I'm using type=peer, alwaysauthreject=yes, allowguest=no

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list