[asterisk-users] getting invites to rtp ports ??
dovid at telecurve.com
Thu Aug 30 06:31:16 CDT 2018
On Wed, Aug 29, 2018 at 10:52 PM, Matthew Jordan <mjordan at digium.com> wrote:
> On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <support at telium.ca>
>> Depending on log trolling (Asterisk security log) misses a lot, and also
>> depends on the SIP/PJSIP folks to not change message structure (which has
>> already happened numerous time). If you are comfortable hacking
>> chan_sip.c you may prefer to get the same messages from the AMI. It still
>> misses a lot but that approach is better than nothing.
>> Digium warns not to use fail2ban / log trolling as a security system:
> That's some pretty old advice.
> The rationale for *not* using general log messages with fail2ban still
> stands: the general WARNING/NOTICE/etc. log messages are subject to change
> between versions, and no one wants that to impact someone's security. So
> you should not use those messages as input into fail2ban.
> That rationale did lead to the 'security' event type in log messages.
> Security Event Logging - as it is called - got added into Asterisk quite
> some time ago. So long ago I'm really not sure which version. At a minimum,
> Asterisk 11, but I'm pretty sure it was in 10 as well.
> Documentation for it can be found here:
> And here:
> Note that this also fires off AMI events (and ARI events, IIRC).
> If, for whatever reason, you do not get a SECURITY log message or a
> corresponding event when something 'bad' happens, that would be worth some
> additional discussion. If anything, the events can be a bit chatty...
FYI: We have found that Fail2Ban has not been as effective as it has in the
past (more with web provisioning servers then with SIP) as once the
attackers think they have a system they can compromise they will change
their IP's and keep trying over and over.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the asterisk-users