[asterisk-bugs] [JIRA] (ASTERISK-25338) Failed to authenticate device messages don't report connection ip
Michael L. Young (JIRA)
noreply at issues.asterisk.org
Sun Aug 23 08:59:32 CDT 2015
[ https://issues.asterisk.org/jira/browse/ASTERISK-25338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=227335#comment-227335 ]
Michael L. Young commented on ASTERISK-25338:
---------------------------------------------
I would recommend using the security log for this. Fail2ban even has information on their wiki on how to set this up for use with fail2ban. http://www.fail2ban.org/wiki/index.php/Asterisk
> Failed to authenticate device messages don't report connection ip
> -----------------------------------------------------------------
>
> Key: ASTERISK-25338
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-25338
> Project: Asterisk
> Issue Type: Improvement
> Security Level: None
> Components: Channels/chan_sip/Security Framework
> Affects Versions: 11.19.0
> Environment: Centos 7.1
> Reporter: John Fawcett
> Severity: Minor
>
> I use fail2ban to parse asterisk logs and block ips originating failed authentication attemps. I noticed that fail2ban picks up requests which included my own external ip (w.x.y.z in the log below). While I can whitelist my ip in fail2ban, it is a missed opportunity to block the real ip from which the attack is coming.
> Would it be possible to log the source ip rather than the my ip which I presume was forged in the sip header?
> Example log mesasge containing my ip w.x.y.z
> [2015-08-22 23:55:47] NOTICE[9171][C-000000b4] chan_sip.c: Failed to authenticate device 401<sip:401 at w.x.y.z>;tag=9988cc3e
> Example invite request showing the real ip is 199.48.164.236
> <--- SIP read from UDP:199.48.164.236:5071 --->
> INVITE sip:000972597803794 at w.x.y.z SIP/2.0
> To: 000972597803794<sip:000972597803794 at w.x.y.z>
> From: 401<sip:401 at w.x.y.z>;tag=9988cc3e
> Via: SIP/2.0/UDP 199.48.164.236:5071;branch=z9hG4bK-9605c9e790e0d0dd9b8445fa89c72c50;rport
> Call-ID: c2746e206bee6ac4d99357b08827a641
> CSeq: 2 INVITE
> Contact: <sip:401 at 199.48.164.236:5071>
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, BYE
> User-Agent: sipcli/v1.8
> Content-Type: application/sdp
> Authorization: Digest username="401",realm="asterisk",nonce="08fb1042",uri="sip:000972597803794 at w.x.y.z",response="77a5c887dbd175ab54fb30a0d6b12ca4",algorithm=MD5
> Content-Length: 284
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list