[asterisk-users] Security AccountID unknown - PJSIP

Joshua C. Colp jcolp at digium.com
Mon Sep 30 04:45:47 CDT 2019

On Fri, Sep 27, 2019, at 11:31 AM, Administrator TOOTAI wrote:
> Hi list,
> I would like to now what is the sense of such type of entry in security.log
> [2019-09-27 15:12:24] SECURITY[26964] res_security_log.c: 
> SecurityEvent="ChallengeSent",EventTV="2019-09-27T15:12:24.181+0200",Severity="Informational",Servic
> e="PJSIP",EventVersion="1",AccountID="<unknown>", 
> SessionID="56b0ca9-d967a90d16411209-a1b0fae1 at",LocalAddress="IPV4/UDP/<MyAddress>/5060",
> RemoteAddress="IPV4/UDP/<attackerIP>/5213",Challenge=""
> We have a lot of such tries coming from IPs not allowed and fail2ban 
> fail to ban them because of SecurityEvent not treated and Severity 
> Informational.
> We add a fail2ban filter to ban those IPs which is OK on our side but 
> also means that attacker knows that account is not existing.
> Any comment appreciate

SIP uses a challenge/response mechanism for authentication. The above indicates that a challenge was sent. The remote side is under no obligation to retry with authentication and may choose not to. If they did and failed another message would occur.

Joshua C. Colp
Digium - A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org

More information about the asterisk-users mailing list