[asterisk-users] What this attacks means?

Richard Mudgett rmudgett at digium.com
Fri May 27 17:56:47 CDT 2016 

On Fri, May 27, 2016 at 5:28 PM, Vitor Mazuco <vitor.mazuco at gmail.com>
wrote:

> Hi to everybody
>
> my system is be attack, but I dont know what this means
>

<snip>

>
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
> 'nat' for a peer/user that differs from the  global setting can make
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
> peer/user discoverable by an attacker. Replies for non-existent
> peers/users
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
> different port than replies for an existing peer/user. If at all
> possible,
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
> setting and do not set 'nat' per peer/user.
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='132'
> global force_rport='No' peer/user force_rport='Yes')
>



> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
> 'nat' for a peer/user that differs from the  global setting can make
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
> peer/user discoverable by an attacker. Replies for non-existent
> peers/users
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
> different port than replies for an existing peer/user. If at all
> possible,
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
> setting and do not set 'nat' per peer/user.
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='133'
> global force_rport='No' peer/user force_rport='Yes')
>



> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
> 'nat' for a peer/user that differs from the  global setting can make
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
> peer/user discoverable by an attacker. Replies for non-existent
> peers/users
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
> different port than replies for an existing peer/user. If at all
> possible,
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
> setting and do not set 'nat' per peer/user.
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='134'
> global force_rport='No' peer/user force_rport='Yes')
>



> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
> 'nat' for a peer/user that differs from the  global setting can make
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
> peer/user discoverable by an attacker. Replies for non-existent
> peers/users
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
> different port than replies for an existing peer/user. If at all
> possible,
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
> setting and do not set 'nat' per peer/user.
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='135'
> global force_rport='No' peer/user force_rport='Yes')
>



> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
> 'nat' for a peer/user that differs from the  global setting can make
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
> peer/user discoverable by an attacker. Replies for non-existent
> peers/users
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
> different port than replies for an existing peer/user. If at all
> possible,
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
> setting and do not set 'nat' per peer/user.
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='136'
> global force_rport='No' peer/user force_rport='Yes')
>



> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
> 'nat' for a peer/user that differs from the  global setting can make
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
> peer/user discoverable by an attacker. Replies for non-existent
> peers/users
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
> different port than replies for an existing peer/user. If at all
> possible,
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
> setting and do not set 'nat' per peer/user.
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config
> category='1000' global force_rport='No' peer/user force_rport='Yes')
> [May 27 15:52:33] NOTICE[2306] chan_sip.c: The 'username' field for
> sip peers has been deprecated in favor of the term 'defaultuser'
>



> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
> 'nat' for a peer/user that differs from the  global setting can make
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
> peer/user discoverable by an attacker. Replies for non-existent
> peers/users
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
> different port than replies for an existing peer/user. If at all
> possible,
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
> setting and do not set 'nat' per peer/user.
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config
> category='1003' global force_rport='No' peer/user force_rport='Yes')
>



> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
> 'nat' for a peer/user that differs from the  global setting can make
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
> peer/user discoverable by an attacker. Replies for non-existent
> peers/users
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
> different port than replies for an existing peer/user. If at all
> possible,
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
> setting and do not set 'nat' per peer/user.
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config
> category='2000' global force_rport='No' peer/user force_rport='Yes')
>



> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
> 'nat' for a peer/user that differs from the  global setting can make
> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
> peer/user discoverable by an attacker. Replies for non-existent
> peers/users
>
> What happen with my Asterisk, and how to protect with this?
>

Your system is not under attack.  You have a configuration mismatch between
the
global SIP nat setting and the per peer/user nat setting for the indicated
peer/users.
The warning messages are indicating a potential security vulnerability in
your
configuration for each peer/user and are describing what can happen and
what you
need to do if those peer/users are exposed to the outside world.

Your global SIP nat setting is NO for force_rport and several peers are set
to YES
for force_rport.

In simplest terms only use the global SIP nat setting and do not use the
per peer/user
nat settings.

Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20160527/4a729c53/attachment.html>

More information about the asterisk-users mailing list