[asterisk-dev] Non-universalized log messages render security tools useless in Asterisk SVN-branch-1.8-r354348 or maybe other versions as well !!!

Bruce B bruceb444 at gmail.com
Sat Feb 11 12:23:55 CST 2012


Hello,

I could be wrong but I think there are two different log NOTICE messages
displayed when there is a similar attack on Asterisk server. I am running
version Asterisk SVN-branch-1.8-r354348 right now:

This line is logged in /var/log/asterisk/full when I am using *Eyebeam
softphone* to make a peer-to-peer call to the Asterisk server:
*NOTICE[10331] chan_sip.c: Sending fake auth rejection for device
Eyebeam-Softphone<sip:99998 at 192.168.0.170>;tag=ac0d8c42*

This line is logged when I use another Asterisk server to send a calls
using originate command: *originate sip/192.168.0.170/99998 extension
s at test-context *
*NOTICE[10331] chan_sip.c: Sending fake auth rejection for device
"Anonymous" <sip:Anonymous at anonymous.invalid>;tag=as4a1b8317*

There are two problems above:
 1- Why are the NOTICE[10331] outputs different with calls coming from two
different sources? Shouldn't this be the same? They are both
un-authenticated attacks. This must be universalized for tools like
Fail2ban to work.
2- Calling from Eyebeam, the log shows the IP of the Asterisk server itself
(192.168.0.170 - what the heck) rather than the originating source IP
address. So, this is really useless for Fail2ban. And it's even worse in
the second line logged as you can see it's only *
<sip:Anonymous at anonymous.invalid>. *I mean, where is the source IP address?

First, there shouldn't be two different types of log messages and secondly
there MUST be a mention of the source (caller) IP address so it can be used
for security purposes (banning, logging, etc...).

In both cases, allowguest=no, alwaysauthrej=yes, and nat=yes was set in
sip.conf.

Unless these log messages are universalized and unless the source IP
address is always logged, there is NO WAY to use Fail2ban or any other
security tool effectively.

***What I have quoted above is based on just Eyebeam, and another Asterisk
server making calls and not SIPvicious or other hacking tools which I am
afraid might generate even many more different log messages. Shouldn't all
these messages be universalized for once and for good across all versions
of Asterisk for security sake?

Cheers,
Bruce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20120211/2bd4d3a1/attachment.htm>


More information about the asterisk-dev mailing list