[asterisk-users] getting invites to rtp ports ??

Matthew Jordan mjordan at digium.com
Wed Aug 29 21:52:05 CDT 2018


On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <support at telium.ca>
wrote:

> Depending on log trolling (Asterisk security log) misses a lot, and also
> depends on the SIP/PJSIP folks to not change message structure (which has
> already happened numerous time).  If  you are comfortable hacking
> chan_sip.c you may prefer to get the same messages from the AMI.  It still
> misses a lot but that approach is better than nothing.
>
> Digium warns not to use fail2ban / log trolling as a security system:
> http://forums.asterisk.org/viewtopic.php?p=159984
>
>
>
That's some pretty old advice.

The rationale for *not* using general log messages with fail2ban still
stands: the general WARNING/NOTICE/etc. log messages are subject to change
between versions, and no one wants that to impact someone's security. So
you should not use those messages as input into fail2ban.

That rationale did lead to the 'security' event type in log messages.
Security Event Logging - as it is called - got added into Asterisk quite
some time ago. So long ago I'm really not sure which version. At a minimum,
Asterisk 11, but I'm pretty sure it was in 10 as well.

Documentation for it can be found here:

https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger

And here:

https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration

Note that this also fires off AMI events (and ARI events, IIRC).

If, for whatever reason, you do not get a SECURITY log message or a
corresponding event when something 'bad' happens, that would be worth some
additional discussion. If anything, the events can be a bit chatty...





> -----Original Message-----
> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On
> Behalf Of sean darcy
> Sent: Wednesday, August 29, 2018 6:33 PM
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] getting invites to rtp ports ??
>
> On 08/29/2018 11:59 AM, Telium Support Group wrote:
> > Block a single IP is the wrong approach (whack-a-mole).  You should
> consider a more comprehensive approach to securing your VoIP environment.
> Have a look at this wiki:
> >
> > https://www.voip-info.org/asterisk-security/
> >
> >
> >
> > -----Original Message-----
> > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com]
> > On Behalf Of sean darcy
> > Sent: Wednesday, August 29, 2018 10:46 AM
> > To: asterisk-users at lists.digium.com
> > Subject: Re: [asterisk-users] getting invites to rtp ports ??
> >
> > On 08/29/2018 09:42 AM, Carlos Rojas wrote:
> >> Hi
> >>
> >> Probably somebody is trying to hack your system, you should block
> >> that ip on your firewall.
> >>
> >> Regards
> >>
> >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com
> >> <mailto:seandarcy2 at gmail.com>> wrote:
> >>
> >>      I'm getting invites to very high ports every 30 seconds from a
> >>      particular ip address:
> >>
> >>      Retransmitting #10 (NAT) to 5.199.133.128:52734
> >>      <http://5.199.133.128:52734>:
> >>      SIP/2.0 401 Unauthorized
> >>      Via: SIP/2.0/UDP
> >>      0.0.0.0:52734
> ;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
> >>      From: <sip:37120116780191250 at 67.80.191.250
> >>      <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972
> >>      To: <sip:3712011972592181418 at 67.80.191.250
> >>      <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748
> >>      Call-ID: 1504207870-295758084-609228182
> >>      CSeq: 1 INVITE
> >>      .......
> >>      WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
> >>      1504207870-295758084-609228182...
> >>
> >>      I thought invites had to go to port 5060 or so. I don't understand
> >>      why somebody (let's assume a bad guy) is trying ports above 50000.
> >>
> >>      sean
> >>
> >>
> >
> > Ok, so the high port is not the destination port but the source port.
> >
> > So I hacked the log warning in chan_sip.c on non-critical invites to
> show the source ip:
> >
> > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
> > %s.\n",
> > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> >
> > With that in the log, I'm now blocking the ip addresses.
> >
> > Thanks,
> > sean
> >
> >
> > --
> > _____________________________________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >
> > Astricon is coming up October 9-11!  Signup is available at:
> > https://www.asterisk.org/community/astricon-user-conference
> >
> > Check out the new Asterisk community forum at:
> > https://community.asterisk.org/
> >
>
> I agree. That's why I hacked chan_sip.c to get the addresses in the log.
>
> I'm surprised they're not in the log by default. I must be the only person
> who gets these "non-critical invites".
>
> sean
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Astricon is coming up October 9-11!  Signup is available at:
> https://www.asterisk.org/community/astricon-user-conference
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Astricon is coming up October 9-11!  Signup is available at:
> https://www.asterisk.org/community/astricon-user-conference
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users



-- 
Matthew Jordan
Digium, Inc. | CTO
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180829/162d6fa9/attachment.html>


More information about the asterisk-users mailing list