[asterisk-bugs] [JIRA] (ASTERISK-19348) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event

Michael L. Young (JIRA) noreply at issues.asterisk.org
Tue Feb 5 11:39:58 CST 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-19348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=202444#comment-202444 ] 

Michael L. Young edited comment on ASTERISK-19348 at 2/5/13 11:39 AM:
----------------------------------------------------------------------

Hey folks, so Ive also been searching the web for a solution to this issue using asterisk 1.8. To review the issue we are talking about, in the asterisk logs we see something like this "chan_sip.c: Sending fake auth rejection for device <sip:mysipserversip>;tag=seqgxjfs4r" and we dont know the ip of the attacker because our own servers ip is listed instead.

so the patch here ASTERISK-19348 is not for asterisk 1.8. magically i was able to work this out on my own with asterisk 1.8. i havent tested this yet and this will not cause any damage to your server whatsoever. please understand that i am no pro. do this at your own risk! :-p

*EDIT* _This is not the proper place to put this.  This belongs on a blog post._
                
      was (Author: gavimobile):
    Hey folks, so Ive also been searching the web for a solution to this issue using asterisk 1.8. To review the issue we are talking about, in the asterisk logs we see something like this "chan_sip.c: Sending fake auth rejection for device <sip:mysipserversip>;tag=seqgxjfs4r" and we dont know the ip of the attacker because our own servers ip is listed instead.

so the patch here https://issues.asterisk.org/jira/browse/ASTERISK-19348?page=com.atlassian.jira.plugin.system.issuetabpanels:changehistory-tabpanel is not for asterisk 1.8. magically i was able to work this out on my own with asterisk 1.8. i havent tested this yet and this will not cause any damage to your server whatsoever. please understand that i am no pro. do this at your own risk! :-p

so find the source of where your asterisk installation is located. this is the directory where you compiled asterisk. for me it is /usr/src/myasterisk_svn. now find inside the directory called "channels" a file called chan_sip.c. backup the file just in case.  cp /usr/src/thedir/channels/chan_sip.c /usr/src/chan_sip.c.old  than edit the file.
nano /usr/src/asteriskinstall/channels/chan_sip.c and search for this section.


} else if (sip_cfg.alwaysauthreject) {
     res = AUTH_FAKE_AUTH; /* reject with fake authorization request */
} 

and change it to look like this

} else if (sip_cfg.alwaysauthreject) {
     res = AUTH_FAKE_AUTH; /* reject with fake authorization request */
     ast_log(LOG_NOTICE, "heres the mofo %s\n", get_header(req, "From"));
}

so all we did basicly was we added this line
ast_log(LOG_NOTICE, "heres the mofo %s\n", get_header(req, "From"));

so now in the log instead of just seeing this

NOTICE[9363] chan_sip.c: Sending fake auth rejection for device 100<sip:101 at my_servers_ip>;tag=2d3e197a 

we see something like this instead 
NOTICE[9363] chan_sip.c: testing <sip:the_mofos_ip>;tag=2d3e197a 
NOTICE[9363] chan_sip.c: Sending fake auth rejection for device 100<sip:101 at my_servers_ip>;tag=2d3e197a 

now recompile asterisk, 
make && make install

and then all you need to do is add a new line to the asterisk filter in fail2ban!

hope this was of help to someone! would really love to hear your feedback

edit:
i have now finished my testing and i can confirm it works. heres what i added to chan_sip.c

right under the line 

res = AUTH_FAKE_AUTH; /* reject with fake authorization request */

add 

ast_log(LOG_NOTICE, "hacking attempt detected '%s'\n", ast_sockaddr_stringify_addr(addr));


so now it looks like 

res = AUTH_FAKE_AUTH; /* reject with fake authorization request */
ast_log(LOG_NOTICE, "hacking attempt detected '%s'\n", ast_sockaddr_stringify_addr(addr));


then recompile 

make && make install

than in fail2ban edit the jail file

/etc/fail2ban/filter.d/asterisk.conf

and add this line 

NOTICE.* .*: hacking attempt detected '<HOST>'


restart your services!!!

                  
> With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event
> -----------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-19348
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-19348
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 1.8.9.2, 10.1.2
>            Reporter: Bruce B
>         Attachments: asterisk-19348-auth_fake-sec-event_v1.patch, asterisk-19348-auth_fake-sip-log-event_v1.patch
>
>
> Asterisk should log source IP address of incoming calls when allowguest=no AND alwaysauthreject=yes but it doesn't. It seems to be a deficiency of allowguest feature. The only log found when there is an incoming call is this which doesn't include source IP address:
> NOTICE[10331] chan_sip.c: Sending fake auth rejection for device "Anonymous" <sip:Anonymous at anonymous.invalid>;tag=as4a1b8317
> ***WARNING: source IP address in this MUST be pulled from OS network layer rather than relying on SIP Packets as spoofed source IP is not really the source IP. Better yet maybe include both spoofed source IP and true source IP in a message like this:
> chan_sip.c: NOTICE[xxxxx]: Call attempt was made from SPOOFED SOURCE IP: x.x.x.x with TRUE SOURCE IP: x.x.x.x
> ***It's best to create this log in full log file as well.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list