[asterisk-bugs] [JIRA] (ASTERISK-20506) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address
motekpc (JIRA)
noreply at issues.asterisk.org
Thu Jan 31 13:20:59 CST 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-20506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=202445#comment-202445 ]
motekpc commented on ASTERISK-20506:
------------------------------------
Hey folks, so Ive also been searching the web for a solution to this issue using asterisk 1.8. To review the issue we are talking about, in the asterisk logs we see something like this "chan_sip.c: Sending fake auth rejection for device <sip:mysipserversip>;tag=seqgxjfs4r" and we dont know the ip of the attacker because our own servers ip is listed instead.
so the patch here https://issues.asterisk.org/jira/browse/ASTERISK-19348?page=com.atlassian.jira.plugin.system.issuetabpanels:changehistory-tabpanel is not for asterisk 1.8. magically i was able to work this out on my own with asterisk 1.8. i havent tested this yet and this will not cause any damage to your server whatsoever. please understand that i am no pro. do this at your own risk! :-p
so find the source of where your asterisk installation is located. this is the directory where you compiled asterisk. for me it is /usr/src/myasterisk_svn. now find inside the directory called "channels" a file called chan_sip.c. backup the file just in case. cp /usr/src/thedir/channels/chan_sip.c /usr/src/chan_sip.c.old than edit the file.
nano /usr/src/asteriskinstall/channels/chan_sip.c and search for this section.
} else if (sip_cfg.alwaysauthreject) {
res = AUTH_FAKE_AUTH; /* reject with fake authorization request */
}
and change it to look like this
} else if (sip_cfg.alwaysauthreject) {
res = AUTH_FAKE_AUTH; /* reject with fake authorization request */
ast_log(LOG_NOTICE, "heres the mofo %s\n", get_header(req, "From"));
}
so all we did basicly was we added this line
ast_log(LOG_NOTICE, "heres the mofo %s\n", get_header(req, "From"));
so now in the log instead of just seeing this
NOTICE[9363] chan_sip.c: Sending fake auth rejection for device 100<sip:101 at my_servers_ip>;tag=2d3e197a
we see something like this instead
NOTICE[9363] chan_sip.c: testing <sip:the_mofos_ip>;tag=2d3e197a
NOTICE[9363] chan_sip.c: Sending fake auth rejection for device 100<sip:101 at my_servers_ip>;tag=2d3e197a
now recompile asterisk,
make && make install
and then all you need to do is add a new line to the asterisk filter in fail2ban!
hope this was of help to someone! would really love to hear your feedback
> With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address
> ------------------------------------------------------------------------------------------
>
> Key: ASTERISK-20506
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-20506
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Channels/chan_sip/General
> Affects Versions: 1.8.15.1
> Environment: CentOS release 5.8 (Final), Kernel 2.6.18-308.8.2.el5.028stab101.1, 32-bit, running on an OpenVZ VPS.
> Reporter: MBH
> Attachments: sipdump.pcap
>
>
> My Asterisk box is being brute forced and I'm getting messages in the logs referencing my box's IP instead of the attacker's:
> [2012-10-03 03:49:45] NOTICE[28161]: chan_sip.c:22723 handle_request_invite: Sending fake auth rejection for device 5550000<sip:5550000 at AsteriskIP>;tag=396cbe1b
> The notice message is not logging the attacker IP at all, thus cannot be blocked using fail2ban.
> The same is mentioned here: http://lists.digium.com/pipermail/asterisk-users/2011-March/260377.html and here http://forums.digium.com/viewtopic.php?t=78988
> I'm using type=peer, alwaysauthreject=yes, allowguest=no
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list