[asterisk-users] Asterisk not logging originating IP of a brute force attack
SebA
sebau at syntec.co.uk
Thu Mar 17 06:24:21 CDT 2011
Why do attacks from the Internet get shown in the Asterisk logs with
myAsteriskServerIP instead of the attacker's IP?! Really useful for
blocking them, that is... Example:
[Mar 6 00:00:00] NOTICE[1926] chan_sip.c: Failed to authenticate user
5550000<sip:5550000 at myAsteriskServerIP>;tag=ab8537ae
(I replaced our IP address with myAsteriskServerIP. The attacks are not
coming from itself!) This affects e.g. Asterisk 1.4.24, 1.6.0.22 and 1.8.0
Ref: http://forums.digium.com/viewtopic.php?t=74947
Ref: http://forums.digium.com/viewtopic.php?f=1
<http://forums.digium.com/viewtopic.php?f=1&t=77070> &t=77070
Similar messages from those threads (1 line each):
-- Executing [123456 at from-sip-external:1] NoOp("SIP/mypbx.com-00000751",
"Received incoming SIP connection from unknown peer to 123456") in new stack
Aug 7 23:32:03 mypbx asterisk[3686]: NOTICE[27307]: chan_sip.c:18047 in
handle_request_invite: Failed to authenticate user
<sip:165411 at mypbx.com>;tag=1660ec63
Aug 8 00:03:50 mypbx asterisk[3686]: NOTICE[27307]: chan_sip.c:18044 in
handle_request_invite: Sending fake auth rejection for user
<sip:165499 at mypbx.com>;tag=e6786d03
NOTICE[2578]: chan_sip.c:21250 handle_request_invite: Sending fake auth
rejection for device "w"<sip:user at asterisk-ip;transport=UDP>;tag=8f2b8d05
So there are at least 3 different SIP messages where the IP address is not
logged, 2 of which do not seem to have a work-around like:
alwaysauthreject=yes
allowguest=no
The above works around the unknown peer issue, but that really be logging
the IP address too!
Those two or three users on the forums and I would like to use Fail2Ban with
Asterisk to block hackers...
http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk
... and I expect others would appreciate logging hackers' IP addresses too!
It is also useful for debugging purposes when setting up users to have their
IP addresses too.
Is there any known solution or patch available?
Unpatched, I consider this a security vulnerability, because, even if one
uses filthy passwords, it can cause a DOS and fill up your log files and
your disk until there is no space left. The only solution to avoid that is
to bock the attackers quickly (or have something to manage your logs, or not
log it I guess). I've got about 1 GB worth of attacks in my logs from 2
weeks on 1 server...
Based on the output in this issue:
https://issues.asterisk.org/view.php?id=18334
it looks like the issue remains in 1.6.2.14 and 1.8.0...
Kind regards,
SebA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110317/c272125b/attachment.htm>
More information about the asterisk-users
mailing list