[asterisk-users] getting invites to rtp ports ??

John Covici covici at ccs.covici.com
Sun Sep 9 16:58:28 CDT 2018 

Hi.  So, I applied the patch, works, but I could not figure out a
fail2ban regex which will hit that line, have you got one I can use?

Thanks.

On Thu, 30 Aug 2018 11:03:08 -0400,
sean darcy wrote:
> 
> On 08/29/2018 09:33 PM, John Covici wrote:
> > OK, Thanks.  I have a couple of questions -- the line numbers do not
> > match exactly, so can you tell me a couple of lines before and after
> > the line in question?  Also, when will this be logged, if its only
> > during sip debug, I need to change it to log when I can see it more
> > readily.
> > 
> > Thanks.
> > 
> > On Wed, 29 Aug 2018 20:31:15 -0400,
> > sean darcy wrote:
> >> 
> >> On 08/29/2018 08:07 PM, John Covici wrote:
> >>> I wonder if I could have that patch, maybe I could add it to my
> >>> fail2ban regexp and if you have the correct regexp, I would apperciate
> >>> that as well.
> >>> 
> >>> Thanks.
> >>> 
> >>> On Wed, 29 Aug 2018 19:18:29 -0400,
> >>> Telium Support Group wrote:
> >>>> 
> >>>> Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time).  If  you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI.  It still misses a lot but that approach is better than nothing.
> >>>> 
> >>>> Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984
> >>>> 
> >>>> 
> >>>> -----Original Message-----
> >>>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy
> >>>> Sent: Wednesday, August 29, 2018 6:33 PM
> >>>> To: asterisk-users at lists.digium.com
> >>>> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> >>>> 
> >>>> On 08/29/2018 11:59 AM, Telium Support Group wrote:
> >>>>> Block a single IP is the wrong approach (whack-a-mole).  You should consider a more comprehensive approach to securing your VoIP environment.  Have a look at this wiki:
> >>>>> 
> >>>>> https://www.voip-info.org/asterisk-security/
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>> -----Original Message-----
> >>>>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com]
> >>>>> On Behalf Of sean darcy
> >>>>> Sent: Wednesday, August 29, 2018 10:46 AM
> >>>>> To: asterisk-users at lists.digium.com
> >>>>> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> >>>>> 
> >>>>> On 08/29/2018 09:42 AM, Carlos Rojas wrote:
> >>>>>> Hi
> >>>>>> 
> >>>>>> Probably somebody is trying to hack your system, you should block
> >>>>>> that ip on your firewall.
> >>>>>> 
> >>>>>> Regards
> >>>>>> 
> >>>>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com
> >>>>>> <mailto:seandarcy2 at gmail.com>> wrote:
> >>>>>> 
> >>>>>>        I'm getting invites to very high ports every 30 seconds from a
> >>>>>>        particular ip address:
> >>>>>> 
> >>>>>>        Retransmitting #10 (NAT) to 5.199.133.128:52734
> >>>>>>        <http://5.199.133.128:52734>:
> >>>>>>        SIP/2.0 401 Unauthorized
> >>>>>>        Via: SIP/2.0/UDP
> >>>>>>        0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
> >>>>>>        From: <sip:37120116780191250 at 67.80.191.250
> >>>>>>        <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972
> >>>>>>        To: <sip:3712011972592181418 at 67.80.191.250
> >>>>>>        <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748
> >>>>>>        Call-ID: 1504207870-295758084-609228182
> >>>>>>        CSeq: 1 INVITE
> >>>>>>        .......
> >>>>>>        WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
> >>>>>>        1504207870-295758084-609228182...
> >>>>>> 
> >>>>>>        I thought invites had to go to port 5060 or so. I don't understand
> >>>>>>        why somebody (let's assume a bad guy) is trying ports above 50000.
> >>>>>> 
> >>>>>>        sean
> >>>>>> 
> >>>>>> 
> >>>>> 
> >>>>> Ok, so the high port is not the destination port but the source port.
> >>>>> 
> >>>>> So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip:
> >>>>> 
> >>>>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
> >>>>> %s.\n",
> >>>>> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> >>>>> 
> >>>>> With that in the log, I'm now blocking the ip addresses.
> >>>>> 
> >>>>> Thanks,
> >>>>> sean
> >>>>> 
> >>>>> 
> >>>>> --
> >>>>> _____________________________________________________________________
> >>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >>>>> 
> >>>>> Astricon is coming up October 9-11!  Signup is available at:
> >>>>> https://www.asterisk.org/community/astricon-user-conference
> >>>>> 
> >>>>> Check out the new Asterisk community forum at:
> >>>>> https://community.asterisk.org/
> >>>>> 
> >>>> 
> >>>> I agree. That's why I hacked chan_sip.c to get the addresses in the log.
> >>>> 
> >>>> I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites".
> >>>> 
> >>>> sean
> >>>> 
> >>>> 
> >>>> 
> >>>> --
> >>>> _____________________________________________________________________
> >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >>>> 
> >>>> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> >>>> 
> >>>> Check out the new Asterisk community forum at: https://community.asterisk.org/
> >>>> 
> >>>> New to Asterisk? Start here:
> >>>>         https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> >>>> 
> >>>> asterisk-users mailing list
> >>>> To UNSUBSCRIBE or update options visit:
> >>>>      http://lists.digium.com/mailman/listinfo/asterisk-users
> >>>> 
> >>>> 
> >>>> -- 
> >>>> _____________________________________________________________________
> >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >>>> 
> >>>> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> >>>> 
> >>>> Check out the new Asterisk community forum at: https://community.asterisk.org/
> >>>> 
> >>>> New to Asterisk? Start here:
> >>>>         https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> >>>> 
> >>>> asterisk-users mailing list
> >>>> To UNSUBSCRIBE or update options visit:
> >>>>      http://lists.digium.com/mailman/listinfo/asterisk-users
> >>>> 
> >>> 
> >> The patch, more accurately a hack, is in my second post above.
> >> 
> >> chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic
> >> invite trans from %s.\n",
> >> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> >> 
> >> The added second %s shows the ip address of the pkt owner.
> >> 
> >> I wouldn't submit it in a coding class !
> >> 
> >> sean
> >> 
> >> 
> >> -- 
> >> _____________________________________________________________________
> >> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >> 
> >> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> >> 
> >> Check out the new Asterisk community forum at: https://community.asterisk.org/
> >> 
> >> New to Asterisk? Start here:
> >>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> >> 
> >> asterisk-users mailing list
> >> To UNSUBSCRIBE or update options visit:
> >>    http://lists.digium.com/mailman/listinfo/asterisk-users
> >> 
> > 
> 
> 13.21.0-rc1 chan_sip.c :
> 
> 4125-		}
> 4126-	} else if (pkt->owner->pendinginvite == pkt->seqno) {
> 4127:	       ast_log(LOG_WARNING, "Timeout on %s non-critic
> invite trans from %s.\n",
> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> 4128-	       pkt->owner->invitestate = INV_TERMINATED;
> 4129-	       pkt->owner->pendinginvite = 0;
> 
> The warning is logged with sip-debug.
> 
> BTW, this gives the destination address for the packet. What I'd
> really want is the source address (which is probably the same as
> the destination address, but...). However, my asterisk mojo is
> not sufficient to find the correct variable.
> 
> Anybody know how to print the source address ?
> 
> sean
> 
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici wb2una
         covici at ccs.covici.com

More information about the asterisk-users mailing list