[asterisk-bugs] [JIRA] (ASTERISK-19348) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event

Vladimir Mikhelson (JIRA) noreply at issues.asterisk.org
Wed Apr 24 10:51:38 CDT 2013

Previous message: [asterisk-bugs] [JIRA] (ASTERISK-19348) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event
Next message: [asterisk-bugs] [JIRA] (ASTERISK-21492) 1.8.21 RTP packetization 30ms but Asterisk sends 20ms40ms etc
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [ https://issues.asterisk.org/jira/browse/ASTERISK-19348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=205751#comment-205751 ] 

Vladimir Mikhelson edited comment on ASTERISK-19348 at 4/24/13 10:51 AM:
-------------------------------------------------------------------------

Michael L. Young,

As the Asterisk is an open source software and this tool, read JIRA, is deployed to exchange information related to its development, you are not in a position to dictate what information is suitable and which one is not as long as it is pertinent to the Asterisk development.

Some users may agree with your original solution, i.e. switch to v.10, or whatever you meant by your comment of 13/Feb/12 10:09 PM.

Martin tries to help other users.

The issue is serious and needs serious attention as it is a network security issue.

I was attacked for a number of days and had no idea where this attack(s) were coming from basically through the whole period after I switched to 1.8.21.0 as chan_sip was redesigned.

The message to the effect that somebody failed to log in with the extension 9999 is insufficient at best as it does not provide any information for remediation.

Please reconsider including the necessary code in 1.8 branch ASAP.

I created a very dirty hack yesterday which helped me to isolate and shut down a couple attacks from Gaza.  I am hesitant to post the code here as it is too inclusive.

Ideally the patch should allow for a necessary forensics collection in the debug mode.  The information should include the source IP and passwords attempted. It looks doable to me by anybody who knows the code and functions.

Thank you,
Vladimir

                
      was (Author: vmikhelson):
    Michael L. Yong,

As the Asterisk is an open source software and this tool, read JIRA, is deployed to exchange information related to its development, you are not in a position to dictate what information is suitable and which one is not as long as it is pertinent to the Asterisk development.

Some users may agree with your original solution, i.e. switch to v.10, or whatever you meant by your comment of 13/Feb/12 10:09 PM.

Martin tries to help other users.

The issue is serious and needs serious attention as it is a network security issue.

I was attacked for a number of days and had no idea where this attack(s) were coming from basically through the whole period after I switched to 1.8.21.0 as chan_sip was redesigned.

The message to the effect that somebody failed to log in with the extension 9999 is insufficient at best as it does not provide any information for remediation.

Please reconsider including the necessary code in 1.8 branch ASAP.

I created a very dirty hack yesterday which helped me to isolate and shut down a couple attacks from Gaza.  I am hesitant to post the code here as it is too inclusive.

Ideally the patch should allow for a necessary forensics collection in the debug mode.  The information should include the source IP and passwords attempted. It looks doable to me by anybody who knows the code and functions.

Thank you,
Vladimir

                  
> With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event
> -----------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-19348
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-19348
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.9.2, 10.1.2
>            Reporter: Bruce B
>         Attachments: asterisk-19348-auth_fake-sec-event_v1.patch, asterisk-19348-auth_fake-sip-log-event_v1.patch
>
>
> Asterisk should log source IP address of incoming calls when allowguest=no AND alwaysauthreject=yes but it doesn't. It seems to be a deficiency of allowguest feature. The only log found when there is an incoming call is this which doesn't include source IP address:
> NOTICE[10331] chan_sip.c: Sending fake auth rejection for device "Anonymous" <sip:Anonymous at anonymous.invalid>;tag=as4a1b8317
> ***WARNING: source IP address in this MUST be pulled from OS network layer rather than relying on SIP Packets as spoofed source IP is not really the source IP. Better yet maybe include both spoofed source IP and true source IP in a message like this:
> chan_sip.c: NOTICE[xxxxx]: Call attempt was made from SPOOFED SOURCE IP: x.x.x.x with TRUE SOURCE IP: x.x.x.x
> ***It's best to create this log in full log file as well.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Previous message: [asterisk-bugs] [JIRA] (ASTERISK-19348) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event
Next message: [asterisk-bugs] [JIRA] (ASTERISK-21492) 1.8.21 RTP packetization 30ms but Asterisk sends 20ms40ms etc
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the asterisk-bugs mailing list