[asterisk-bugs] [JIRA] (ASTERISK-19348) With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event
Michael L. Young (JIRA)
noreply at issues.asterisk.org
Thu Jan 31 13:46:58 CST 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-19348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=202444#comment-202444 ]
Michael L. Young edited comment on ASTERISK-19348 at 1/31/13 1:46 PM:
----------------------------------------------------------------------
Hey folks, so Ive also been searching the web for a solution to this issue using asterisk 1.8. To review the issue we are talking about, in the asterisk logs we see something like this "chan_sip.c: Sending fake auth rejection for device <sip:mysipserversip>;tag=seqgxjfs4r" and we dont know the ip of the attacker because our own servers ip is listed instead.
so the patch here ASTERISK-19348 is not for asterisk 1.8. magically i was able to work this out on my own with asterisk 1.8. i havent tested this yet and this will not cause any damage to your server whatsoever. please understand that i am no pro. do this at your own risk! :-p
_*edit* Code submissions can not be accepted through comments_
so now in the log instead of just seeing this
NOTICE[9363] chan_sip.c: Sending fake auth rejection for device 100<sip:101 at my_servers_ip>;tag=2d3e197a
we see something like this instead
NOTICE[9363] chan_sip.c: testing <sip:the_mofos_ip>;tag=2d3e197a
NOTICE[9363] chan_sip.c: Sending fake auth rejection for device 100<sip:101 at my_servers_ip>;tag=2d3e197a
now all you need to do is add a new line to the asterisk filter in fail2ban!
hope this was of help to someone! would really love to hear your feedback
was (Author: gavimobile):
Hey folks, so Ive also been searching the web for a solution to this issue using asterisk 1.8. To review the issue we are talking about, in the asterisk logs we see something like this "chan_sip.c: Sending fake auth rejection for device <sip:mysipserversip>;tag=seqgxjfs4r" and we dont know the ip of the attacker because our own servers ip is listed instead.
so the patch here https://issues.asterisk.org/jira/browse/ASTERISK-19348?page=com.atlassian.jira.plugin.system.issuetabpanels:changehistory-tabpanel is not for asterisk 1.8. magically i was able to work this out on my own with asterisk 1.8. i havent tested this yet and this will not cause any damage to your server whatsoever. please understand that i am no pro. do this at your own risk! :-p
so find the source of where your asterisk installation is located. this is the directory where you compiled asterisk. for me it is /usr/src/myasterisk_svn. now find inside the directory called "channels" a file called chan_sip.c. backup the file just in case. cp /usr/src/thedir/channels/chan_sip.c /usr/src/chan_sip.c.old than edit the file.
nano /usr/src/asteriskinstall/channels/chan_sip.c and search for this section.
} else if (sip_cfg.alwaysauthreject) {
res = AUTH_FAKE_AUTH; /* reject with fake authorization request */
}
and change it to look like this
} else if (sip_cfg.alwaysauthreject) {
res = AUTH_FAKE_AUTH; /* reject with fake authorization request */
ast_log(LOG_NOTICE, "heres the mofo %s\n", get_header(req, "From"));
}
so all we did basicly was we added this line
ast_log(LOG_NOTICE, "heres the mofo %s\n", get_header(req, "From"));
so now in the log instead of just seeing this
NOTICE[9363] chan_sip.c: Sending fake auth rejection for device 100<sip:101 at my_servers_ip>;tag=2d3e197a
we see something like this instead
NOTICE[9363] chan_sip.c: testing <sip:the_mofos_ip>;tag=2d3e197a
NOTICE[9363] chan_sip.c: Sending fake auth rejection for device 100<sip:101 at my_servers_ip>;tag=2d3e197a
now all you need to do is add a new line to the asterisk filter in fail2ban!
hope this was of help to someone! would really love to hear your feedback
> With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event
> -----------------------------------------------------------------------------------------
>
> Key: ASTERISK-19348
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-19348
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Channels/chan_sip/General
> Affects Versions: 1.8.9.2, 10.1.2
> Reporter: Bruce B
> Attachments: asterisk-19348-auth_fake-sec-event_v1.patch, asterisk-19348-auth_fake-sip-log-event_v1.patch
>
>
> Asterisk should log source IP address of incoming calls when allowguest=no AND alwaysauthreject=yes but it doesn't. It seems to be a deficiency of allowguest feature. The only log found when there is an incoming call is this which doesn't include source IP address:
> NOTICE[10331] chan_sip.c: Sending fake auth rejection for device "Anonymous" <sip:Anonymous at anonymous.invalid>;tag=as4a1b8317
> ***WARNING: source IP address in this MUST be pulled from OS network layer rather than relying on SIP Packets as spoofed source IP is not really the source IP. Better yet maybe include both spoofed source IP and true source IP in a message like this:
> chan_sip.c: NOTICE[xxxxx]: Call attempt was made from SPOOFED SOURCE IP: x.x.x.x with TRUE SOURCE IP: x.x.x.x
> ***It's best to create this log in full log file as well.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list