[asterisk-users] getting invites to rtp ports ??

Wed Aug 29 19:07:42 CDT 2018

I wonder if I could have that patch, maybe I could add it to my
fail2ban regexp and if you have the correct regexp, I would apperciate
that as well.

Thanks.

On Wed, 29 Aug 2018 19:18:29 -0400,
Telium Support Group wrote:
> 
> Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time).  If  you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI.  It still misses a lot but that approach is better than nothing.
> 
> Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984
> 
> 
> -----Original Message-----
> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy
> Sent: Wednesday, August 29, 2018 6:33 PM
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> 
> On 08/29/2018 11:59 AM, Telium Support Group wrote:
> > Block a single IP is the wrong approach (whack-a-mole).  You should consider a more comprehensive approach to securing your VoIP environment.  Have a look at this wiki:
> > 
> > https://www.voip-info.org/asterisk-security/
> > 
> > 
> > 
> > -----Original Message-----
> > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] 
> > On Behalf Of sean darcy
> > Sent: Wednesday, August 29, 2018 10:46 AM
> > To: asterisk-users at lists.digium.com
> > Subject: Re: [asterisk-users] getting invites to rtp ports ??
> > 
> > On 08/29/2018 09:42 AM, Carlos Rojas wrote:
> >> Hi
> >>
> >> Probably somebody is trying to hack your system, you should block 
> >> that ip on your firewall.
> >>
> >> Regards
> >>
> >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com 
> >> <mailto:seandarcy2 at gmail.com>> wrote:
> >>
> >>      I'm getting invites to very high ports every 30 seconds from a
> >>      particular ip address:
> >>
> >>      Retransmitting #10 (NAT) to 5.199.133.128:52734
> >>      <http://5.199.133.128:52734>:
> >>      SIP/2.0 401 Unauthorized
> >>      Via: SIP/2.0/UDP
> >>      0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
> >>      From: <sip:37120116780191250 at 67.80.191.250
> >>      <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972
> >>      To: <sip:3712011972592181418 at 67.80.191.250
> >>      <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748
> >>      Call-ID: 1504207870-295758084-609228182
> >>      CSeq: 1 INVITE
> >>      .......
> >>      WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
> >>      1504207870-295758084-609228182...
> >>
> >>      I thought invites had to go to port 5060 or so. I don't understand
> >>      why somebody (let's assume a bad guy) is trying ports above 50000.
> >>
> >>      sean
> >>
> >>
> > 
> > Ok, so the high port is not the destination port but the source port.
> > 
> > So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip:
> > 
> > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from 
> > %s.\n",
> > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> > 
> > With that in the log, I'm now blocking the ip addresses.
> > 
> > Thanks,
> > sean
> > 
> > 
> > --
> > _____________________________________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> > 
> > Astricon is coming up October 9-11!  Signup is available at: 
> > https://www.asterisk.org/community/astricon-user-conference
> > 
> > Check out the new Asterisk community forum at: 
> > https://community.asterisk.org/
> > 
> 
> I agree. That's why I hacked chan_sip.c to get the addresses in the log.
> 
> I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites".
> 
> sean
> 
> 
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici wb2una
         covici at ccs.covici.com