Hello,<div><br></div><div>I could be wrong but I think there are two different log NOTICE messages displayed when there is a similar attack on Asterisk server. I am running version Asterisk SVN-branch-1.8-r354348 right now:</div>
<div><br></div><div>This line is logged in /var/log/asterisk/full when I am using <b><i>Eyebeam softphone</i></b> to make a peer-to-peer call to the Asterisk server:</div><div><div><i>NOTICE[10331] chan_sip.c: Sending fake auth rejection for device Eyebeam-Softphone<<a href="mailto:sip%3A99998@192.168.0.170" target="_blank">sip:99998@192.168.0.170</a>>;tag=ac0d8c42</i></div>
<div><br></div><div>This line is logged when I use another Asterisk server to send a calls using originate command: <b><i>originate sip/<a href="http://192.168.0.170/99998" target="_blank">192.168.0.170/99998</a> extension s@test-context </i></b></div>
<div><i>NOTICE[10331] chan_sip.c: Sending fake auth rejection for device "Anonymous" <sip:Anonymous@anonymous.invalid>;tag=as4a1b8317</i></div></div><div><br></div><div>There are two problems above:</div>
<div>
1- Why are the NOTICE[10331] outputs different with calls coming from two different sources? Shouldn't this be the same? They are both un-authenticated attacks. This must be universalized for tools like Fail2ban to work.</div>
<div>2- Calling from Eyebeam, the log shows the IP of the Asterisk server itself (192.168.0.170 - what the heck) rather than the originating source IP address. So, this is really useless for Fail2ban. And it's even worse in the second line logged as you can see it's only <b><sip:Anonymous@anonymous.invalid>. </b>I mean, where is the source IP address? </div>
<div><br></div><div>First, there shouldn't be two different types of log messages and secondly there MUST be a mention of the source (caller) IP address so it can be used for security purposes (banning, logging, etc...).</div>
<div><br></div><div>In both cases, allowguest=no, alwaysauthrej=yes, and nat=yes was set in sip.conf.</div><div><br></div><div>Unless these log messages are universalized and unless the source IP address is always logged, there is NO WAY to use Fail2ban or any other security tool effectively.</div>
<div><br></div><div>***What I have quoted above is based on just Eyebeam, and another Asterisk server making calls and not SIPvicious or other hacking tools which I am afraid might generate even many more different log messages. Shouldn't all these messages be universalized for once and for good across all versions of Asterisk for security sake?</div>
<div><br></div><div>Cheers,</div><div>Bruce</div>