[asterisk-bugs] [JIRA] (ASTERISK-25338) Failed to authenticate device messages don't report connection ip

John Fawcett (JIRA) noreply at issues.asterisk.org
Sat Aug 22 17:11:32 CDT 2015 

John Fawcett created ASTERISK-25338:
---------------------------------------

             Summary: Failed to authenticate device messages don't report connection ip
                 Key: ASTERISK-25338
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25338
             Project: Asterisk
          Issue Type: Improvement
      Security Level: None
          Components: Channels/chan_sip/Security Framework
    Affects Versions: 11.19.0
         Environment: Centos 7.1
            Reporter: John Fawcett
            Severity: Minor


I use fail2ban to parse asterisk logs and block ips originating failed authentication attemps. I noticed that fail2ban picks up requests which included my own external ip (w.x.y.z in the log below). While I can whitelist my ip in fail2ban, it is a missed opportunity to block the real ip from which the attack is coming.

Would it be possible to have the message log the source ip rather than the info which I presume was forged in the sip header?

Example log mesasge containing my ip w.x.y.z

[2015-08-22 23:55:47] NOTICE[9171][C-000000b4] chan_sip.c: Failed to authenticate device 401<sip:401 at w.x.y.z>;tag=9988cc3e

Example invite request showing the real ip is 199.48.164.236

<--- SIP read from UDP:199.48.164.236:5071 --->
INVITE sip:000972597803794 at w.x.y.z SIP/2.0
To: 000972597803794<sip:000972597803794 at w.x.y.z>
From: 401<sip:401 at w.x.y.z>;tag=9988cc3e
Via: SIP/2.0/UDP 199.48.164.236:5071;branch=z9hG4bK-9605c9e790e0d0dd9b8445fa89c72c50;rport
Call-ID: c2746e206bee6ac4d99357b08827a641
CSeq: 2 INVITE
Contact: <sip:401 at 199.48.164.236:5071>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Authorization: Digest username="401",realm="asterisk",nonce="08fb1042",uri="sip:000972597803794 at w.x.y.z",response="77a5c887dbd175ab54fb30a0d6b12ca4",algorithm=MD5
Content-Length: 284





--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list