[asterisk-bugs] [JIRA] (ASTERISK-21908) Asterisk do not log source IP for Fake auth rejection

Carlos Alberto Lopez Perez (JIRA) noreply at issues.asterisk.org
Fri Jun 14 11:47:03 CDT 2013


     [ https://issues.asterisk.org/jira/browse/ASTERISK-21908?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carlos Alberto Lopez Perez updated ASTERISK-21908:
--------------------------------------------------

    Description: 
Problem: Asterisk 1.6 do not log source IP address used for brute force attacks in some cases. Thus usage of Fail2ban or other tools is limited.

Details: When using alwaysauthreject=yes in sip.conf, then source IP of attacker is not logged when rejecting INVITES from not registered devices trying to authenticate at call beginning (only asterisk server IP itself is logged).

Solution: Attached is a small patch solving this it, allowing fail2ban correctly handling such brute force attacks.

Before patch:

[2013-04-28 19:33:01] NOTICE[32446] chan_sip.c: Sending fake auth rejection for device 1011<sip:1011 at 10.98.231.154:5060>;tag=3b82edc2

After patch:

[2013-05-04 05:10:07] NOTICE[10851] chan_sip.c: Sending fake auth rejection for device '303<sip:303 at 10.98.231.154:5060>;tag=d9210d45' to '94.23.59.135'

patch:

--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -20238,7 +20238,7 @@
                }
                if (res < 0) { /* Something failed in authentication */
                        if (res == AUTH_FAKE_AUTH) {
-                               ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
+                               ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr));
                                transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE);
                        } else {
                                ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
@@ -21532,7 +21532,7 @@
                return 0;
        if (res < 0) {
                if (res == AUTH_FAKE_AUTH) {
-                       ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
+                       ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr));
                        transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE);
                } else {
                        ast_log(LOG_NOTICE, "Failed to authenticate device %s for SUBSCRIBE\n", get_header(req, "From"));




NOTE: This tracker seems unable to correctly print a patch. 

Please go to the Debian bug to see it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706739

  was:
Problem: Asterisk 1.6 do not log source IP address used for brute force attacks in some cases. Thus usage of Fail2ban or other tools is limited.

Details: When using alwaysauthreject=yes in sip.conf, then source IP of attacker is not logged when rejecting INVITES from not registered devices trying to authenticate at call beginning (only asterisk server IP itself is logged).

Solution: Attached is a small patch solving this it, allowing fail2ban correctly handling such brute force attacks.

Before patch:

[2013-04-28 19:33:01] NOTICE[32446] chan_sip.c: Sending fake auth rejection for device 1011<sip:1011 at 10.98.231.154:5060>;tag=3b82edc2

After patch:

[2013-05-04 05:10:07] NOTICE[10851] chan_sip.c: Sending fake auth rejection for device '303<sip:303 at 10.98.231.154:5060>;tag=d9210d45' to '94.23.59.135'

patch:

--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -20238,7 +20238,7 @@
                }
                if (res < 0) { /* Something failed in authentication */
                        if (res == AUTH_FAKE_AUTH) {
-                               ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
+                               ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr));
                                transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE);
                        } else {
                                ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
@@ -21532,7 +21532,7 @@
                return 0;
        if (res < 0) {
                if (res == AUTH_FAKE_AUTH) {
-                       ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
+                       ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr));
                        transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE);
                } else {
                        ast_log(LOG_NOTICE, "Failed to authenticate device %s for SUBSCRIBE\n", get_header(req, "From"));


    
> Asterisk do not log source IP for Fake auth rejection
> -----------------------------------------------------
>
>                 Key: ASTERISK-21908
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21908
>             Project: Asterisk
>          Issue Type: New Feature
>      Security Level: None
>          Components: Core/Logging
>    Affects Versions: SVN, Feature Tracker
>         Environment: Debian GNU/Linux
>            Reporter: Carlos Alberto Lopez Perez
>
> Problem: Asterisk 1.6 do not log source IP address used for brute force attacks in some cases. Thus usage of Fail2ban or other tools is limited.
> Details: When using alwaysauthreject=yes in sip.conf, then source IP of attacker is not logged when rejecting INVITES from not registered devices trying to authenticate at call beginning (only asterisk server IP itself is logged).
> Solution: Attached is a small patch solving this it, allowing fail2ban correctly handling such brute force attacks.
> Before patch:
> [2013-04-28 19:33:01] NOTICE[32446] chan_sip.c: Sending fake auth rejection for device 1011<sip:1011 at 10.98.231.154:5060>;tag=3b82edc2
> After patch:
> [2013-05-04 05:10:07] NOTICE[10851] chan_sip.c: Sending fake auth rejection for device '303<sip:303 at 10.98.231.154:5060>;tag=d9210d45' to '94.23.59.135'
> patch:
> --- a/channels/chan_sip.c
> +++ b/channels/chan_sip.c
> @@ -20238,7 +20238,7 @@
>                 }
>                 if (res < 0) { /* Something failed in authentication */
>                         if (res == AUTH_FAKE_AUTH) {
> -                               ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
> +                               ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr));
>                                 transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE);
>                         } else {
>                                 ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
> @@ -21532,7 +21532,7 @@
>                 return 0;
>         if (res < 0) {
>                 if (res == AUTH_FAKE_AUTH) {
> -                       ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
> +                       ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr));
>                         transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE);
>                 } else {
>                         ast_log(LOG_NOTICE, "Failed to authenticate device %s for SUBSCRIBE\n", get_header(req, "From"));
> NOTE: This tracker seems unable to correctly print a patch. 
> Please go to the Debian bug to see it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706739

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list