[asterisk-bugs] [JIRA] (ASTERISK-25338) Failed to authenticate device messages don't report connection ip

Asterisk Team (JIRA) noreply at issues.asterisk.org
Sat Aug 22 17:11:33 CDT 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=227332#comment-227332 ] 

Asterisk Team commented on ASTERISK-25338:
------------------------------------------

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

> Failed to authenticate device messages don't report connection ip
> -----------------------------------------------------------------
>
>                 Key: ASTERISK-25338
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25338
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/Security Framework
>    Affects Versions: 11.19.0
>         Environment: Centos 7.1
>            Reporter: John Fawcett
>            Severity: Minor
>
> I use fail2ban to parse asterisk logs and block ips originating failed authentication attemps. I noticed that fail2ban picks up requests which included my own external ip (w.x.y.z in the log below). While I can whitelist my ip in fail2ban, it is a missed opportunity to block the real ip from which the attack is coming.
> Would it be possible to have the message log the source ip rather than the info which I presume was forged in the sip header?
> Example log mesasge containing my ip w.x.y.z
> [2015-08-22 23:55:47] NOTICE[9171][C-000000b4] chan_sip.c: Failed to authenticate device 401<sip:401 at w.x.y.z>;tag=9988cc3e
> Example invite request showing the real ip is 199.48.164.236
> <--- SIP read from UDP:199.48.164.236:5071 --->
> INVITE sip:000972597803794 at w.x.y.z SIP/2.0
> To: 000972597803794<sip:000972597803794 at w.x.y.z>
> From: 401<sip:401 at w.x.y.z>;tag=9988cc3e
> Via: SIP/2.0/UDP 199.48.164.236:5071;branch=z9hG4bK-9605c9e790e0d0dd9b8445fa89c72c50;rport
> Call-ID: c2746e206bee6ac4d99357b08827a641
> CSeq: 2 INVITE
> Contact: <sip:401 at 199.48.164.236:5071>
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, BYE
> User-Agent: sipcli/v1.8
> Content-Type: application/sdp
> Authorization: Digest username="401",realm="asterisk",nonce="08fb1042",uri="sip:000972597803794 at w.x.y.z",response="77a5c887dbd175ab54fb30a0d6b12ca4",algorithm=MD5
> Content-Length: 284



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list