[asterisk-users] What this attacks means?

Vitor Mazuco vitor.mazuco at gmail.com
Fri May 27 17:59:45 CDT 2016 

humm, ok.

Thanks very much

2016-05-27 19:56 GMT-03:00, Richard Mudgett <rmudgett at digium.com>:
> On Fri, May 27, 2016 at 5:28 PM, Vitor Mazuco <vitor.mazuco at gmail.com>
> wrote:
>
>> Hi to everybody
>>
>> my system is be attack, but I dont know what this means
>>
>
> <snip>
>
>>
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
>> 'nat' for a peer/user that differs from the  global setting can make
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
>> peer/user discoverable by an attacker. Replies for non-existent
>> peers/users
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
>> different port than replies for an existing peer/user. If at all
>> possible,
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
>> setting and do not set 'nat' per peer/user.
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='132'
>> global force_rport='No' peer/user force_rport='Yes')
>>
>
>
>
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
>> 'nat' for a peer/user that differs from the  global setting can make
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
>> peer/user discoverable by an attacker. Replies for non-existent
>> peers/users
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
>> different port than replies for an existing peer/user. If at all
>> possible,
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
>> setting and do not set 'nat' per peer/user.
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='133'
>> global force_rport='No' peer/user force_rport='Yes')
>>
>
>
>
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
>> 'nat' for a peer/user that differs from the  global setting can make
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
>> peer/user discoverable by an attacker. Replies for non-existent
>> peers/users
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
>> different port than replies for an existing peer/user. If at all
>> possible,
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
>> setting and do not set 'nat' per peer/user.
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='134'
>> global force_rport='No' peer/user force_rport='Yes')
>>
>
>
>
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
>> 'nat' for a peer/user that differs from the  global setting can make
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
>> peer/user discoverable by an attacker. Replies for non-existent
>> peers/users
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
>> different port than replies for an existing peer/user. If at all
>> possible,
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
>> setting and do not set 'nat' per peer/user.
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='135'
>> global force_rport='No' peer/user force_rport='Yes')
>>
>
>
>
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
>> 'nat' for a peer/user that differs from the  global setting can make
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
>> peer/user discoverable by an attacker. Replies for non-existent
>> peers/users
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
>> different port than replies for an existing peer/user. If at all
>> possible,
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
>> setting and do not set 'nat' per peer/user.
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='136'
>> global force_rport='No' peer/user force_rport='Yes')
>>
>
>
>
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
>> 'nat' for a peer/user that differs from the  global setting can make
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
>> peer/user discoverable by an attacker. Replies for non-existent
>> peers/users
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
>> different port than replies for an existing peer/user. If at all
>> possible,
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
>> setting and do not set 'nat' per peer/user.
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config
>> category='1000' global force_rport='No' peer/user force_rport='Yes')
>> [May 27 15:52:33] NOTICE[2306] chan_sip.c: The 'username' field for
>> sip peers has been deprecated in favor of the term 'defaultuser'
>>
>
>
>
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
>> 'nat' for a peer/user that differs from the  global setting can make
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
>> peer/user discoverable by an attacker. Replies for non-existent
>> peers/users
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
>> different port than replies for an existing peer/user. If at all
>> possible,
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
>> setting and do not set 'nat' per peer/user.
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config
>> category='1003' global force_rport='No' peer/user force_rport='Yes')
>>
>
>
>
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
>> 'nat' for a peer/user that differs from the  global setting can make
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
>> peer/user discoverable by an attacker. Replies for non-existent
>> peers/users
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a
>> different port than replies for an existing peer/user. If at all
>> possible,
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat'
>> setting and do not set 'nat' per peer/user.
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config
>> category='2000' global force_rport='No' peer/user force_rport='Yes')
>>
>
>
>
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting
>> 'nat' for a peer/user that differs from the  global setting can make
>> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that
>> peer/user discoverable by an attacker. Replies for non-existent
>> peers/users
>>
>> What happen with my Asterisk, and how to protect with this?
>>
>
> Your system is not under attack.  You have a configuration mismatch between
> the
> global SIP nat setting and the per peer/user nat setting for the indicated
> peer/users.
> The warning messages are indicating a potential security vulnerability in
> your
> configuration for each peer/user and are describing what can happen and
> what you
> need to do if those peer/users are exposed to the outside world.
>
> Your global SIP nat setting is NO for force_rport and several peers are set
> to YES
> for force_rport.
>
> In simplest terms only use the global SIP nat setting and do not use the
> per peer/user
> nat settings.
>
> Richard
>

More information about the asterisk-users mailing list