[asterisk-users] Am I being hacked?

[Chris Nighswonger]

On Mon, Aug 19, 2013 at 2:40 PM, Patrick Lists <
asterisk-list at puzzled.xs4all.nl> wrote:

> On 08/19/2013 08:10 PM, Eric Wieling wrote:
>
>> One of Asterisk's dirty little secrets is that it does not show the
>> source IP when a device or hacker tries sending a call without registering.
>>  The rejection message in the logs do not show the IP of the attacker.
>> Yes it sucks, yes it has been that way for many many years.
>>
>
> Are you aware of a patch that would show the source IP in the console and
> logs?
>
>
I do something like this:

1. turn up the logging
2. add foo like this in my dial plan:

exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to
${EXTEN})
exten => _.,n,Log(NOTICE,"Anonymous peer IP: ${CHANNEL(peerip)}")
exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})})
exten => _.,n,Goto(s,1)

3. do some bar like this in my fail2ban filter:

VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
NOTICE.* .*: "Anonymous peer IP: <HOST>
NOTICE.* .*: Failed to authenticate device .*\s?\<sip:.*@<HOST>\>.*

and that handles most of the hacking attempts I see on my system. I think
it may be possible for the second line to catch some false matches, but I
have not seen any issues with our system thus far.

Kind Regards,
Chris

PS. Feel free to comment on what is wrong with this and be sure to include
the right way to do it. :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130819/86fc504a/attachment.htm>