[asterisk-bugs] [JIRA] (ASTERISK-27864) Create NOTICE for INVITES with no matching peer

Richard Mudgett (JIRA) noreply at issues.asterisk.org
Mon May 21 14:52:55 CDT 2018


    [ https://issues.asterisk.org/jira/browse/ASTERISK-27864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=243488#comment-243488 ] 

Richard Mudgett commented on ASTERISK-27864:
--------------------------------------------

What you ask should already be handled by the security event framework.  There is a SECURITY log channel handled by res_security.so like NOTICE/WARNING/ERROR that outputs security events.  AMI also outputs these security events.  One of these security events is a challenge sent \[1] informational message that chan_sip and chan_pjsip generate when they challenge a request.

Otherwise, this is a feature request without a patch.

\[1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+ManagerEvent_ChallengeSent

> Create NOTICE for INVITES with no matching peer
> -----------------------------------------------
>
>                 Key: ASTERISK-27864
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27864
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/General
>    Affects Versions: 13.21.0
>         Environment: Fedora 27
>            Reporter: Sean Darcy
>
> <--- SIP read from UDP:192.111.139.146:29281 --->
> INVITE sip:+48223079992@<my-ip>:5060 SIP/2.0
> Via: SIP/2.0/UDP 100.149.241.68:5060;branch=z4hG4bK-966187-1---q9ft4HdLB4ZeBqs;rport=5060
> Contact: <sip:9353 at 100.149.241.68:5060>;+sip.instance="<urn:uuid:4B444A32-23FD-4E49-8C99-12077A118D8F>"
> Max-Forwards: 70
> To: <sip:+48223079992@<my-ip>:5060>
> From: "Caller"<sip:9353@<my-ip>:5060>;tag=sXPNixD5Ui42V
> Call-ID: _zIr9tDtBxeTVTY5F7z8kD7R..
> CSeq: 101 INVITE
> Content-Type: application/sdp
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO
> Supported: replaces
> User-Agent: GSM
> Allow-Events: hold, talk, conference
> Accept: application/sdp
> Content-Length: 771
> v=0
> o=CiscoSystemsSIP-IPPhone 18338 11953 IN IP4 100.149.241.68
> s=SIP Call
> c=IN IP4 100.149.241.68
> t=0 0
> m=audio 20000 RTP/AVP 0 8 18 101
> a=rtpmap:3 gsm/8000
> a=rtpmap:96 speex/8000
> a=rtpmap:97 speex/8000
> a=fmtp:97 mode=2
> a=rtpmap:98 speex/8000
> a=fmtp:98 mode=5
> a=rtpmap:99 speex/8000
> a=fmtp:99 mode=7
> a=rtpmap:107 speex/32000
> a=fmtp:107 mode=10
> a=rtpmap:0 pcmu/8000
> a=rtpmap:8 pcma/8000
> a=rtpmap:108 ilbc/8000
> a=rtpmap:113 g7231/8000
> a=rtpmap:18 g729/8000
> a=rtpmap:100 G726-16/8000
> a=rtpmap:101 G726-24/8000
> a=rtpmap:2 G726-32/8000
> a=rtpmap:2 G726-32/8000
> a=rtpmap:103 G726-40/8000
> a=rtpmap:4 g723/8000
> a=fmtp:18 annexb=no
> a=rtpmap:109 ilbc/8000
> a=fmtp:109 mode=20
> a=rtpmap:110 telephone-event/8000
> a=fmtp:110 0-15
> a=ptime:20
> a=sendrecv
> <------------->
> --- (15 headers 34 lines) ---
> Sending to 192.111.139.146:29281 (NAT)
> Sending to 192.111.139.146:29281 (NAT)
> Using INVITE request as basis request - _zIr9tDtBxeTVTY5F7z8kD7R..
> No matching peer for '9353' from '192.111.139.146:29281'
> ..............
> Which then generates a lot of transmissions showing Unauthorized:
> ..............
> Retransmitting #10 (NAT) to 192.111.139.146:29281:
> SIP/2.0 401 Unauthorized
> Via: SIP/2.0/UDP 100.149.241.68:5060;branch=z4hG4bK-966187-1---q9ft4HdLB4ZeBqs;received=192.111.139.146;rport=29281
> From: "Caller"<sip:9353@<my-ip>:5060>;tag=sXPNixD5Ui42V
> To: <sip:+48223079992@<my-ip>:5060>;tag=as1f60e6dd
> Call-ID: _zIr9tDtBxeTVTY5F7z8kD7R..
> CSeq: 101 INVITE
> Server: Asterisk PBX 13.21.0-rc1
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
> Supported: replaces, timer
> WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home", nonce="0794806c"
> Content-Length: 0
> It's a real pain to find the INVITE in SIP DEBUG that generated the retransmission. The timeout for the retransmission generates a NOTICE, but not the INVITE itself. 
> I suggest a NOTICE for any INVITE with "No matching peer", just like the "Wrong password" NOTICE. This would allow fail2ban, among others, to block the address.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list