[asterisk-bugs] [JIRA] (ASTERISK-25338) Failed to authenticate device messages don't report connection ip

Michael L. Young (JIRA) noreply at issues.asterisk.org
Sun Aug 23 08:59:32 CDT 2015


    [ https://issues.asterisk.org/jira/browse/ASTERISK-25338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=227335#comment-227335 ] 

Michael L. Young commented on ASTERISK-25338:
---------------------------------------------

I would recommend using the security log for this.  Fail2ban even has information on their wiki on how to set this up for use with fail2ban.  http://www.fail2ban.org/wiki/index.php/Asterisk

> Failed to authenticate device messages don't report connection ip
> -----------------------------------------------------------------
>
>                 Key: ASTERISK-25338
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25338
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/Security Framework
>    Affects Versions: 11.19.0
>         Environment: Centos 7.1
>            Reporter: John Fawcett
>            Severity: Minor
>
> I use fail2ban to parse asterisk logs and block ips originating failed authentication attemps. I noticed that fail2ban picks up requests which included my own external ip (w.x.y.z in the log below). While I can whitelist my ip in fail2ban, it is a missed opportunity to block the real ip from which the attack is coming.
> Would it be possible to log the source ip rather than the my ip which I presume was forged in the sip header?
> Example log mesasge containing my ip w.x.y.z
> [2015-08-22 23:55:47] NOTICE[9171][C-000000b4] chan_sip.c: Failed to authenticate device 401<sip:401 at w.x.y.z>;tag=9988cc3e
> Example invite request showing the real ip is 199.48.164.236
> <--- SIP read from UDP:199.48.164.236:5071 --->
> INVITE sip:000972597803794 at w.x.y.z SIP/2.0
> To: 000972597803794<sip:000972597803794 at w.x.y.z>
> From: 401<sip:401 at w.x.y.z>;tag=9988cc3e
> Via: SIP/2.0/UDP 199.48.164.236:5071;branch=z9hG4bK-9605c9e790e0d0dd9b8445fa89c72c50;rport
> Call-ID: c2746e206bee6ac4d99357b08827a641
> CSeq: 2 INVITE
> Contact: <sip:401 at 199.48.164.236:5071>
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, BYE
> User-Agent: sipcli/v1.8
> Content-Type: application/sdp
> Authorization: Digest username="401",realm="asterisk",nonce="08fb1042",uri="sip:000972597803794 at w.x.y.z",response="77a5c887dbd175ab54fb30a0d6b12ca4",algorithm=MD5
> Content-Length: 284



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list