[asterisk-bugs] [JIRA] (ASTERISK-29678) Asterisk not logging IP addresses associated with device authentication failures

Joshua C. Colp (JIRA) noreply at issues.asterisk.org
Sun Oct 3 13:12:49 CDT 2021


    [ https://issues.asterisk.org/jira/browse/ASTERISK-29678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=256545#comment-256545 ] 

Joshua C. Colp commented on ASTERISK-29678:
-------------------------------------------

I'm marking this issue as acknowledged since from a security logging perspective there's probably areas we can improve here.

> Asterisk not logging IP addresses associated with device authentication failures
> --------------------------------------------------------------------------------
>
>                 Key: ASTERISK-29678
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29678
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/Security Framework
>    Affects Versions: 16.2.1
>         Environment: Fresh, BRAND new Ubuntu 20 server installation, completely fresh out of the box with absolutely zero customizations whatsoever
>            Reporter: Fake Name
>              Labels: security
>
> This problem has been reported numerous times by other users dating as far back as 2010. There are threads about it on the asterisk forums such as here for example: https://community.asterisk.org/t/missing-ip-address-in-log-cant-ban-with-fail2ban/32177/18
> Unfortunately, this problem has NEVER been fixed even a decade later.
> My asterisk log files are filling up with stuff like this:
> [Oct  2 22:28:56] WARNING[10592]: chan_sip.c:4178 retrans_pkt: Timeout on 1960475124-185555950-1418451360 on non-critical invite transaction.
> [Oct  2 22:28:57] NOTICE[10592][C-0000018a]: chan_sip.c:26601 handle_request_invite: Failed to authenticate device <sip:300 at MY_SERVER_IP_IS_HERE>;tag=1117068098
> This traffic is driving up the load average on my server and is also filling up my hard drive with excessive log data.
> There is no way to configure fail2ban to automatically ban these attempts, because the log file is not including the IP address of the host that is triggering these messages. It only includes my own server's IP.
> This makes it impossible to implement any sort of automated intrusion protection without doing extremely convoluted hacks with packet sniffers or modifying the C source code files (as was suggested in that 10-year old forum thread) of asterisk so that it includes the IP in these messages and then recompiling it (also not an option for vast majority of asterisk users)
> This is a very serious problem and we really need a fix. We've been waiting over 10 years for this to be resolved



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list