[asterisk-users] getting invites to rtp ports ??
Dovid Bender
dovid at telecurve.com
Thu Aug 30 06:31:16 CDT 2018
On Wed, Aug 29, 2018 at 10:52 PM, Matthew Jordan <mjordan at digium.com> wrote:
>
> On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <support at telium.ca>
> wrote:
>
>> Depending on log trolling (Asterisk security log) misses a lot, and also
>> depends on the SIP/PJSIP folks to not change message structure (which has
>> already happened numerous time). If you are comfortable hacking
>> chan_sip.c you may prefer to get the same messages from the AMI. It still
>> misses a lot but that approach is better than nothing.
>>
>> Digium warns not to use fail2ban / log trolling as a security system:
>> http://forums.asterisk.org/viewtopic.php?p=159984
>>
>>
>>
> That's some pretty old advice.
>
> The rationale for *not* using general log messages with fail2ban still
> stands: the general WARNING/NOTICE/etc. log messages are subject to change
> between versions, and no one wants that to impact someone's security. So
> you should not use those messages as input into fail2ban.
>
> That rationale did lead to the 'security' event type in log messages.
> Security Event Logging - as it is called - got added into Asterisk quite
> some time ago. So long ago I'm really not sure which version. At a minimum,
> Asterisk 11, but I'm pretty sure it was in 10 as well.
>
> Documentation for it can be found here:
>
> https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
>
> And here:
>
> https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration
>
> Note that this also fires off AMI events (and ARI events, IIRC).
>
> If, for whatever reason, you do not get a SECURITY log message or a
> corresponding event when something 'bad' happens, that would be worth some
> additional discussion. If anything, the events can be a bit chatty...
>
>
FYI: We have found that Fail2Ban has not been as effective as it has in the
past (more with web provisioning servers then with SIP) as once the
attackers think they have a system they can compromise they will change
their IP's and keep trying over and over.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180830/cf2f49f5/attachment.html>
More information about the asterisk-users
mailing list