[asterisk-dev] Non-universalized log messages render security tools useless in Asterisk SVN-branch-1.8-r354348 or maybe other versions as well !!!

Paul Belanger pabelanger at digium.com
Sat Feb 11 14:37:16 CST 2012 

On 12-02-11 01:23 PM, Bruce B wrote:
> Hello,
>
> I could be wrong but I think there are two different log NOTICE messages
> displayed when there is a similar attack on Asterisk server. I am running
> version Asterisk SVN-branch-1.8-r354348 right now:
>
> This line is logged in /var/log/asterisk/full when I am using *Eyebeam
> softphone* to make a peer-to-peer call to the Asterisk server:
> *NOTICE[10331] chan_sip.c: Sending fake auth rejection for device
> Eyebeam-Softphone<sip:99998 at 192.168.0.170>;tag=ac0d8c42*
>
> This line is logged when I use another Asterisk server to send a calls
> using originate command: *originate sip/192.168.0.170/99998 extension
> s at test-context *
> *NOTICE[10331] chan_sip.c: Sending fake auth rejection for device
> "Anonymous"<sip:Anonymous at anonymous.invalid>;tag=as4a1b8317*
>
> There are two problems above:
>   1- Why are the NOTICE[10331] outputs different with calls coming from two
> different sources? Shouldn't this be the same? They are both
> un-authenticated attacks. This must be universalized for tools like
> Fail2ban to work.
> 2- Calling from Eyebeam, the log shows the IP of the Asterisk server itself
> (192.168.0.170 - what the heck) rather than the originating source IP
> address. So, this is really useless for Fail2ban. And it's even worse in
> the second line logged as you can see it's only *
> <sip:Anonymous at anonymous.invalid>. *I mean, where is the source IP address?
>
> First, there shouldn't be two different types of log messages and secondly
> there MUST be a mention of the source (caller) IP address so it can be used
> for security purposes (banning, logging, etc...).
>
> In both cases, allowguest=no, alwaysauthrej=yes, and nat=yes was set in
> sip.conf.
>
> Unless these log messages are universalized and unless the source IP
> address is always logged, there is NO WAY to use Fail2ban or any other
> security tool effectively.
>
> ***What I have quoted above is based on just Eyebeam, and another Asterisk
> server making calls and not SIPvicious or other hacking tools which I am
> afraid might generate even many more different log messages. Shouldn't all
> these messages be universalized for once and for good across all versions
> of Asterisk for security sake?
>
You should be using res_security_log.so. The version in asterisk 10 
added more support for chan_sip.so, refer to the CHANGES file.

-- 
Paul Belanger
Digium, Inc. | Software Developer
twitter: pabelanger | IRC: pabelanger (Freenode)
Check us out at: http://digium.com & http://asterisk.org

More information about the asterisk-dev mailing list