[asterisk-users] Security AccountID unknown - PJSIP

Joshua C. Colp jcolp at digium.com
Mon Sep 30 04:45:47 CDT 2019


On Fri, Sep 27, 2019, at 11:31 AM, Administrator TOOTAI wrote:
> Hi list,
> 
> I would like to now what is the sense of such type of entry in security.log
> 
> [2019-09-27 15:12:24] SECURITY[26964] res_security_log.c: 
> SecurityEvent="ChallengeSent",EventTV="2019-09-27T15:12:24.181+0200",Severity="Informational",Servic
> e="PJSIP",EventVersion="1",AccountID="<unknown>", 
> SessionID="56b0ca9-d967a90d16411209-a1b0fae1 at 188.165.222.17",LocalAddress="IPV4/UDP/<MyAddress>/5060",
> RemoteAddress="IPV4/UDP/<attackerIP>/5213",Challenge=""
> 
> We have a lot of such tries coming from IPs not allowed and fail2ban 
> fail to ban them because of SecurityEvent not treated and Severity 
> Informational.
> 
> We add a fail2ban filter to ban those IPs which is OK on our side but 
> also means that attacker knows that account is not existing.
> 
> Any comment appreciate

SIP uses a challenge/response mechanism for authentication. The above indicates that a challenge was sent. The remote side is under no obligation to retry with authentication and may choose not to. If they did and failed another message would occur.

-- 
Joshua C. Colp
Digium - A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org



More information about the asterisk-users mailing list