[asterisk-users] getting invites to rtp ports ??

Matthew Jordan mjordan at digium.com
Thu Aug 30 08:37:58 CDT 2018 

On Thu, Aug 30, 2018 at 6:02 AM John Covici <covici at ccs.covici.com> wrote:

> I agree, but is it possible to try over and over with anything other
> than the challenge warning in the security log as sean suggested and
> put a patch for?
>

I don't think I understand your question.

You shouldn't need a patch if you are using the SECURITY log. The thread
above is suggesting patching the source code to hijack a WARNING message
for the purposes of tracing security information; my point is that you
should have a specific SECURITY log message that already serves that
purpose.







>
> On Wed, 29 Aug 2018 22:52:05 -0400,
> Matthew Jordan wrote:
> >
> > [1  <multipart/alternative (7bit)>]
> > [1.1  <text/plain; UTF-8 (7bit)>]
> > [1.2  <text/html; UTF-8 (quoted-printable)>]
> > On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <support at telium.ca>
> wrote:
> >
> >  Depending on log trolling (Asterisk security log) misses a lot, and
> also depends on the SIP/PJSIP folks to not change message structure (which
> has already happened numerous time).  If  you are comfortable hacking
> chan_sip.c you may
> >  prefer to get the same messages from the AMI.  It still misses a lot
> but that approach is better than nothing.
> >
> >  Digium warns not to use fail2ban / log trolling as a security system:
> http://forums.asterisk.org/viewtopic.php?p=159984
> >
> > That's some pretty old advice.
> >
> > The rationale for *not* using general log messages with fail2ban still
> stands: the general WARNING/NOTICE/etc. log messages are subject to change
> between versions, and no one wants that to impact someone's security. So
> you should not use
> > those messages as input into fail2ban.
> >
> > That rationale did lead to the 'security' event type in log messages.
> Security Event Logging - as it is called - got added into Asterisk quite
> some time ago. So long ago I'm really not sure which version. At a minimum,
> Asterisk 11, but
> > I'm pretty sure it was in 10 as well.
> >
> > Documentation for it can be found here:
> >
> >
> https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
> >
> > And here:
> >
> > https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration
> >
> > Note that this also fires off AMI events (and ARI events, IIRC).
> >
> > If, for whatever reason, you do not get a SECURITY log message or a
> corresponding event when something 'bad' happens, that would be worth some
> additional discussion. If anything, the events can be a bit chatty...
> >
> >
> >  -----Original Message-----
> >  From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com]
> On Behalf Of sean darcy
> >  Sent: Wednesday, August 29, 2018 6:33 PM
> >  To: asterisk-users at lists.digium.com
> >  Subject: Re: [asterisk-users] getting invites to rtp ports ??
> >
> >  On 08/29/2018 11:59 AM, Telium Support Group wrote:
> >  > Block a single IP is the wrong approach (whack-a-mole).  You should
> consider a more comprehensive approach to securing your VoIP environment.
> Have a look at this wiki:
> >  >
> >  > https://www.voip-info.org/asterisk-security/
> >  >
> >  >
> >  >
> >  > -----Original Message-----
> >  > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com]
>
> >  > On Behalf Of sean darcy
> >  > Sent: Wednesday, August 29, 2018 10:46 AM
> >  > To: asterisk-users at lists.digium.com
> >  > Subject: Re: [asterisk-users] getting invites to rtp ports ??
> >  >
> >  > On 08/29/2018 09:42 AM, Carlos Rojas wrote:
> >  >> Hi
> >  >>
> >  >> Probably somebody is trying to hack your system, you should block
> >  >> that ip on your firewall.
> >  >>
> >  >> Regards
> >  >>
> >  >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com
> >  >> <mailto:seandarcy2 at gmail.com>> wrote:
> >  >>
> >  >>      I'm getting invites to very high ports every 30 seconds from a
> >  >>      particular ip address:
> >  >>
> >  >>      Retransmitting #10 (NAT) to 5.199.133.128:52734
> >  >>      <http://5.199.133.128:52734>:
> >  >>      SIP/2.0 401 Unauthorized
> >  >>      Via: SIP/2.0/UDP
> >  >>      0.0.0.0:52734
> ;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
> >  >>      From: <sip:37120116780191250 at 67.80.191.250
> >  >>      <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972
> >  >>      To: <sip:3712011972592181418 at 67.80.191.250
> >  >>      <mailto:sip%3A3712011972592181418 at 67.80.191.250
> >>;tag=as3a52e748
> >  >>      Call-ID: 1504207870-295758084-609228182
> >  >>      CSeq: 1 INVITE
> >  >>      .......
> >  >>      WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
> >  >>      1504207870-295758084-609228182...
> >  >>
> >  >>      I thought invites had to go to port 5060 or so. I don't
> understand
> >  >>      why somebody (let's assume a bad guy) is trying ports above
> 50000.
> >  >>
> >  >>      sean
> >  >>
> >  >>
> >  >
> >  > Ok, so the high port is not the destination port but the source port.
> >  >
> >  > So I hacked the log warning in chan_sip.c on non-critical invites to
> show the source ip:
> >  >
> >  > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
> >  > %s.\n",
> >  > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> >  >
> >  > With that in the log, I'm now blocking the ip addresses.
> >  >
> >  > Thanks,
> >  > sean
> >  >
> >  >
> >  > --
> >  > _____________________________________________________________________
> >  > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >  >
> >  > Astricon is coming up October 9-11!  Signup is available at:
> >  > https://www.asterisk.org/community/astricon-user-conference
> >  >
> >  > Check out the new Asterisk community forum at:
> >  > https://community.asterisk.org/
> >  >
> >
> >  I agree. That's why I hacked chan_sip.c to get the addresses in the log.
> >
> >  I'm surprised they're not in the log by default. I must be the only
> person who gets these "non-critical invites".
> >
> >  sean
> >
> >  --
> >  _____________________________________________________________________
> >  -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >
> >  Astricon is coming up October 9-11!  Signup is available at:
> https://www.asterisk.org/community/astricon-user-conference
> >
> >  Check out the new Asterisk community forum at:
> https://community.asterisk.org/
> >
> >  New to Asterisk? Start here:
> >        https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> >
> >  asterisk-users mailing list
> >  To UNSUBSCRIBE or update options visit:
> >     http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> >  --
> >  _____________________________________________________________________
> >  -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >
> >  Astricon is coming up October 9-11!  Signup is available at:
> https://www.asterisk.org/community/astricon-user-conference
> >
> >  Check out the new Asterisk community forum at:
> https://community.asterisk.org/
> >
> >  New to Asterisk? Start here:
> >        https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> >
> >  asterisk-users mailing list
> >  To UNSUBSCRIBE or update options visit:
> >     http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> > --
> > Matthew Jordan
> > Digium, Inc. | CTO
> > 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> > Check us out at: http://digium.com & http://asterisk.org
> > [2  <text/plain; utf-8 (base64)>]
> > --
> > _____________________________________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >
> > Astricon is coming up October 9-11!  Signup is available at:
> https://www.asterisk.org/community/astricon-user-conference
> >
> > Check out the new Asterisk community forum at:
> https://community.asterisk.org/
> >
> > New to Asterisk? Start here:
> >       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> >
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users
>
> --
> Your life is like a penny.  You're going to lose it.  The question is:
> How do
> you spend it?
>
>          John Covici wb2una
>          covici at ccs.covici.com
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Astricon is coming up October 9-11!  Signup is available at:
> https://www.asterisk.org/community/astricon-user-conference
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users



-- 
Matthew Jordan
Digium, Inc. | CTO
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180830/8576b1af/attachment.html>

More information about the asterisk-users mailing list