[asterisk-bugs] [JIRA] (ASTERISK-19348) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event

Michael L. Young (JIRA) noreply at issues.asterisk.org
Wed Apr 24 11:04:38 CDT 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-19348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=205753#comment-205753 ] 

Michael L. Young edited comment on ASTERISK-19348 at 4/24/13 11:04 AM:
-----------------------------------------------------------------------

Vladimir, I understand your concern and desire to protect yourself.  There is plenty of documentation and guidelines for securing Asterisk.  I am sorry that you were attacked and didn't know about it.  

I am not trying to dictate what information is suitable.  I am trying to direct you guys to the proper forums.  As with any project, open source or otherwise, there are proper forums for such a discussion and certain guidelines that everyone in the community needs to follow in order to make sure things are handled properly.  The issue tracker is not the proper forum.  Please see https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines#AsteriskIssueGuidelines-PurposeoftheAsteriskissuetracker

I also tried to direct motekpc on how to post patches if he chose to do so and so far everyone is not following that suggestion.  Code submissions fall under the need to have a license for legal reasons.  Therefore, I am not going to remove a patch and re-attach it under my license since it is not my code.

Please try the asterisk-users mailing list.  This is something you need to bring to the attention of the community and the issue tracker defeats what you are trying to accomplish because it limits this discussion to only those following this issue.  You are free to modify your version of Asterisk as you see pleased.  But, this is not the proper forum to discuss it.  It is an issue tracker for which this issue has been treated, handled, and closed.

https://wiki.asterisk.org/wiki/display/AST/Mailing+Lists

https://wiki.asterisk.org/wiki/display/AST/IRC

Thanks
                
      was (Author: elguero):
    Vladimir, I understand your concern and desire to protect yourself.  There is plenty of documentation and guidelines for securing Asterisk.  I am sorry that you were attacked and didn't know about it.  

I am not trying to dictate what information is suitable.  I am trying to direct you guys to the proper forums.  As with any project, open source or otherwise, there are proper forums for such a discussion and certain guidelines that everyone in the community needs to follow in order to make sure things are handled properly.  The issue tracker is not the proper forum.  Please see https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines#AsteriskIssueGuidelines-PurposeoftheAsteriskissuetracker

Please try the asterisk-users mailing list.  This is something you need to bring to the attention of the community and the issue tracker defeats what you are trying to accomplish because it limits this discussion to only those following this issue.  You are free to modify your version of Asterisk as you see pleased.  But, this is not the proper forum to discuss it.  It is an issue tracker for which this issue has been treated, handled, and closed.

https://wiki.asterisk.org/wiki/display/AST/Mailing+Lists

https://wiki.asterisk.org/wiki/display/AST/IRC

Thanks
                  
> With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event
> -----------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-19348
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-19348
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.9.2, 10.1.2
>            Reporter: Bruce B
>         Attachments: asterisk-19348-auth_fake-sec-event_v1.patch, asterisk-19348-auth_fake-sip-log-event_v1.patch
>
>
> Asterisk should log source IP address of incoming calls when allowguest=no AND alwaysauthreject=yes but it doesn't. It seems to be a deficiency of allowguest feature. The only log found when there is an incoming call is this which doesn't include source IP address:
> NOTICE[10331] chan_sip.c: Sending fake auth rejection for device "Anonymous" <sip:Anonymous at anonymous.invalid>;tag=as4a1b8317
> ***WARNING: source IP address in this MUST be pulled from OS network layer rather than relying on SIP Packets as spoofed source IP is not really the source IP. Better yet maybe include both spoofed source IP and true source IP in a message like this:
> chan_sip.c: NOTICE[xxxxx]: Call attempt was made from SPOOFED SOURCE IP: x.x.x.x with TRUE SOURCE IP: x.x.x.x
> ***It's best to create this log in full log file as well.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list