[asterisk-users] getting invites to rtp ports ??

asterisk at a-domani.nl asterisk at a-domani.nl
Thu Aug 30 04:04:34 CDT 2018 

Regarding this thread,
I was wondering, why would anybody opens his firewall (for incoming 
traffic), for anybody else, besides his own SIP-provider?

Isn't that the proper way for having your firewall configured: always, 
by default closed, unless explicitly required.
(but perhaps I'm missing a legitimate use-case)

Hans

On 2018-08-30 04:52, Matthew Jordan wrote:
> On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group
> <support at telium.ca> wrote:
> 
>> Depending on log trolling (Asterisk security log) misses a lot, and
>> also depends on the SIP/PJSIP folks to not change message structure
>> (which has already happened numerous time).  If  you are comfortable
>> hacking chan_sip.c you may prefer to get the same messages from the
>> AMI.  It still misses a lot but that approach is better than
>> nothing.
>> 
>> Digium warns not to use fail2ban / log trolling as a security
>> system: http://forums.asterisk.org/viewtopic.php?p=159984
> 
> That's some pretty old advice.
> 
> The rationale for *not* using general log messages with fail2ban still
> stands: the general WARNING/NOTICE/etc. log messages are subject to
> change between versions, and no one wants that to impact someone's
> security. So you should not use those messages as input into fail2ban.
> 
> That rationale did lead to the 'security' event type in log messages.
> Security Event Logging - as it is called - got added into Asterisk
> quite some time ago. So long ago I'm really not sure which version. At
> a minimum, Asterisk 11, but I'm pretty sure it was in 10 as well.
> 
> Documentation for it can be found here:
> 
> https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
> 
> And here:
> 
> https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration
> 
> Note that this also fires off AMI events (and ARI events, IIRC).
> 
> If, for whatever reason, you do not get a SECURITY log message or a
> corresponding event when something 'bad' happens, that would be worth
> some additional discussion. If anything, the events can be a bit
> chatty...
> 
>> -----Original Message-----
>> From: asterisk-users
>> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean
>> darcy
>> Sent: Wednesday, August 29, 2018 6:33 PM
>> To: asterisk-users at lists.digium.com
>> Subject: Re: [asterisk-users] getting invites to rtp ports ??
>> 
>> On 08/29/2018 11:59 AM, Telium Support Group wrote:
>>> Block a single IP is the wrong approach (whack-a-mole).  You
>> should consider a more comprehensive approach to securing your VoIP
>> environment.  Have a look at this wiki:
>>> 
>>> https://www.voip-info.org/asterisk-security/
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: asterisk-users
>> [mailto:asterisk-users-bounces at lists.digium.com]
>>> On Behalf Of sean darcy
>>> Sent: Wednesday, August 29, 2018 10:46 AM
>>> To: asterisk-users at lists.digium.com
>>> Subject: Re: [asterisk-users] getting invites to rtp ports ??
>>> 
>>> On 08/29/2018 09:42 AM, Carlos Rojas wrote:
>>>> Hi
>>>> 
>>>> Probably somebody is trying to hack your system, you should block
>> 
>>>> that ip on your firewall.
>>>> 
>>>> Regards
>>>> 
>>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com
>> 
>>>> <mailto:seandarcy2 at gmail.com>> wrote:
>>>> 
>>>> I'm getting invites to very high ports every 30 seconds from
>> a
>>>> particular ip address:
>>>> 
>>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 [1]
>>>> <http://5.199.133.128:52734>:
>>>> SIP/2.0 401 Unauthorized
>>>> Via: SIP/2.0/UDP
>>>> 
>> 
> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
>>>> From: <sip:37120116780191250 at 67.80.191.250
>>>> 
>> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972
>>>> To: <sip:3712011972592181418 at 67.80.191.250
>>>> 
>> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748
>>>> Call-ID: 1504207870-295758084-609228182
>>>> CSeq: 1 INVITE
>>>> .......
>>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
>>>> 1504207870-295758084-609228182...
>>>> 
>>>> I thought invites had to go to port 5060 or so. I don't
>> understand
>>>> why somebody (let's assume a bad guy) is trying ports above
>> 50000.
>>>> 
>>>> sean
>>>> 
>>>> 
>>> 
>>> Ok, so the high port is not the destination port but the source
>> port.
>>> 
>>> So I hacked the log warning in chan_sip.c on non-critical invites
>> to show the source ip:
>>> 
>>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
>>> %s.\n",
>>> 
>> 
> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
>>> 
>>> With that in the log, I'm now blocking the ip addresses.
>>> 
>>> Thanks,
>>> sean
>>> 
>>> 
>>> --
>>> 
>> 
> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>> --
>>> 
>>> Astricon is coming up October 9-11!  Signup is available at:
>>> https://www.asterisk.org/community/astricon-user-conference
>>> 
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>> 
>> 
>> I agree. That's why I hacked chan_sip.c to get the addresses in the
>> log.
>> 
>> I'm surprised they're not in the log by default. I must be the only
>> person who gets these "non-critical invites".
>> 
>> sean
>> 
>> --
>> 
> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>> --
>> 
>> Astricon is coming up October 9-11!  Signup is available at:
>> https://www.asterisk.org/community/astricon-user-conference
>> 
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>> 
>> New to Asterisk? Start here:
>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>> 
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>> 
>> --
>> 
> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>> --
>> 
>> Astricon is coming up October 9-11!  Signup is available at:
>> https://www.asterisk.org/community/astricon-user-conference
>> 
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>> 
>> New to Asterisk? Start here:
>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>> 
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> --
> Matthew Jordan
> Digium, Inc. | CTO
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> Check us out at: http://digium.com & http://asterisk.org
> 
> Links:
> ------
> [1] http://5.199.133.128:52734

More information about the asterisk-users mailing list