[asterisk-bugs] [JIRA] Commented: (ASTERISK-20506) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address

MBH (JIRA) noreply at issues.asterisk.org
Mon Oct 8 12:55:27 CDT 2012


    [ https://issues.asterisk.org/jira/browse/ASTERISK-20506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=198146#comment-198146 ] 

MBH commented on ASTERISK-20506:
--------------------------------

Hello again. I have installed Asterisk 10 & enabled the security logging in logger.conf and I still get the same auth rejection messages in /var/log/asterisk/messages with a fake IP, but security doesn't show anything.

[2012-10-07 21:23:55] NOTICE[5847] chan_sip.c: Sending fake auth rejection for device 201<sip:201 at AsteriskIP>;tag=9e4a1889
[2012-10-07 21:23:55] NOTICE[5847] chan_sip.c: Sending fake auth rejection for device 201<sip:201 at AsteriskIP>;tag=9e4a1889
[2012-10-08 00:49:20] NOTICE[5847] chan_sip.c: Sending fake auth rejection for device "sipvicious"<sip:100 at 1.1.1.1>;tag=3465326661643461313363340132303932393039303130
[2012-10-08 01:15:55] NOTICE[5847] chan_sip.c: Sending fake auth rejection for device "sipvicious"<sip:100 at 1.1.1.1>;tag=34653266616434613133633401343838323735373533
[2012-10-08 04:37:03] NOTICE[5847] chan_sip.c: Sending fake auth rejection for device 101<sip:101 at AsteriskIP>;tag=cab0f2e6
[2012-10-08 04:37:03] NOTICE[5847] chan_sip.c: Sending fake auth rejection for device 101<sip:101 at AsteriskIP>;tag=cab0f2e6
[2012-10-08 10:42:13] NOTICE[5847] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown at 94.231.83.138>;tag=B9JloXj8Qp
[2012-10-08 10:42:13] NOTICE[5847] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown at 94.231.83.138>;tag=fDCq85udqo


The time stamp of these attacks is not related to the events listed in asterisk's security log.

This is the last thing I saw in my security log:
[2012-10-08 10:57:56] SECURITY[5827] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1349693876-568238",Severity="Error",Service="SIP",EventVersion="1",AccountID="001972592283580",SessionID="0x95e4290",LocalAddress="IPV4/UDP/AsteriskIP/5060",RemoteAddress="IPV4/UDP/37.8.25.94/5071"

> With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address
> ------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20506
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20506
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.15.1
>         Environment: CentOS release 5.8 (Final), Kernel 2.6.18-308.8.2.el5.028stab101.1, 32-bit, running on an OpenVZ VPS.
>            Reporter: MBH
>
> My Asterisk box is being brute forced and I'm getting messages in the logs referencing my box's IP instead of the attacker's:
> [2012-10-03 03:49:45] NOTICE[28161]: chan_sip.c:22723 handle_request_invite: Sending fake auth rejection for device 5550000<sip:5550000 at AsteriskIP>;tag=396cbe1b
> The notice message is not logging the attacker IP at all, thus cannot be blocked using fail2ban.
> The same is mentioned here: http://lists.digium.com/pipermail/asterisk-users/2011-March/260377.html and here http://forums.digium.com/viewtopic.php?t=78988
> I'm using type=peer, alwaysauthreject=yes, allowguest=no

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list