[asterisk-users] getting invites to rtp ports ??

sean darcy seandarcy2 at gmail.com
Wed Aug 29 19:31:15 CDT 2018 

On 08/29/2018 08:07 PM, John Covici wrote:
> I wonder if I could have that patch, maybe I could add it to my
> fail2ban regexp and if you have the correct regexp, I would apperciate
> that as well.
> 
> Thanks.
> 
> On Wed, 29 Aug 2018 19:18:29 -0400,
> Telium Support Group wrote:
>>
>> Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time).  If  you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI.  It still misses a lot but that approach is better than nothing.
>>
>> Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984
>>
>>
>> -----Original Message-----
>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy
>> Sent: Wednesday, August 29, 2018 6:33 PM
>> To: asterisk-users at lists.digium.com
>> Subject: Re: [asterisk-users] getting invites to rtp ports ??
>>
>> On 08/29/2018 11:59 AM, Telium Support Group wrote:
>>> Block a single IP is the wrong approach (whack-a-mole).  You should consider a more comprehensive approach to securing your VoIP environment.  Have a look at this wiki:
>>>
>>> https://www.voip-info.org/asterisk-security/
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com]
>>> On Behalf Of sean darcy
>>> Sent: Wednesday, August 29, 2018 10:46 AM
>>> To: asterisk-users at lists.digium.com
>>> Subject: Re: [asterisk-users] getting invites to rtp ports ??
>>>
>>> On 08/29/2018 09:42 AM, Carlos Rojas wrote:
>>>> Hi
>>>>
>>>> Probably somebody is trying to hack your system, you should block
>>>> that ip on your firewall.
>>>>
>>>> Regards
>>>>
>>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com
>>>> <mailto:seandarcy2 at gmail.com>> wrote:
>>>>
>>>>       I'm getting invites to very high ports every 30 seconds from a
>>>>       particular ip address:
>>>>
>>>>       Retransmitting #10 (NAT) to 5.199.133.128:52734
>>>>       <http://5.199.133.128:52734>:
>>>>       SIP/2.0 401 Unauthorized
>>>>       Via: SIP/2.0/UDP
>>>>       0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
>>>>       From: <sip:37120116780191250 at 67.80.191.250
>>>>       <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972
>>>>       To: <sip:3712011972592181418 at 67.80.191.250
>>>>       <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748
>>>>       Call-ID: 1504207870-295758084-609228182
>>>>       CSeq: 1 INVITE
>>>>       .......
>>>>       WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
>>>>       1504207870-295758084-609228182...
>>>>
>>>>       I thought invites had to go to port 5060 or so. I don't understand
>>>>       why somebody (let's assume a bad guy) is trying ports above 50000.
>>>>
>>>>       sean
>>>>
>>>>
>>>
>>> Ok, so the high port is not the destination port but the source port.
>>>
>>> So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip:
>>>
>>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
>>> %s.\n",
>>> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
>>>
>>> With that in the log, I'm now blocking the ip addresses.
>>>
>>> Thanks,
>>> sean
>>>
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> Astricon is coming up October 9-11!  Signup is available at:
>>> https://www.asterisk.org/community/astricon-user-conference
>>>
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>>
>>
>> I agree. That's why I hacked chan_sip.c to get the addresses in the log.
>>
>> I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites".
>>
>> sean
>>
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
>>
>> Check out the new Asterisk community forum at: https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>        https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>     http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
>> -- 
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
>>
>> Check out the new Asterisk community forum at: https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>>        https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>     http://lists.digium.com/mailman/listinfo/asterisk-users
>>
> 
The patch, more accurately a hack, is in my second post above.

chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic invite 
trans from %s.\n", 
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));

The added second %s shows the ip address of the pkt owner.

I wouldn't submit it in a coding class !

sean

More information about the asterisk-users mailing list