[asterisk-users] getting invites to rtp ports ??

John Covici covici at ccs.covici.com
Thu Aug 30 01:02:34 CDT 2018 

I agree, but is it possible to try over and over with anything other
than the challenge warning in the security log as sean suggested and
put a patch for?

On Wed, 29 Aug 2018 22:52:05 -0400,
Matthew Jordan wrote:
> 
> [1  <multipart/alternative (7bit)>]
> [1.1  <text/plain; UTF-8 (7bit)>]
> [1.2  <text/html; UTF-8 (quoted-printable)>]
> On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <support at telium.ca> wrote:
> 
>  Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time).  If  you are comfortable hacking chan_sip.c you may
>  prefer to get the same messages from the AMI.  It still misses a lot but that approach is better than nothing.
> 
>  Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984
> 
> That's some pretty old advice.
> 
> The rationale for *not* using general log messages with fail2ban still stands: the general WARNING/NOTICE/etc. log messages are subject to change between versions, and no one wants that to impact someone's security. So you should not use
> those messages as input into fail2ban.
> 
> That rationale did lead to the 'security' event type in log messages. Security Event Logging - as it is called - got added into Asterisk quite some time ago. So long ago I'm really not sure which version. At a minimum, Asterisk 11, but
> I'm pretty sure it was in 10 as well.
> 
> Documentation for it can be found here:
> 
> https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
> 
> And here:
> 
> https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration
> 
> Note that this also fires off AMI events (and ARI events, IIRC).
> 
> If, for whatever reason, you do not get a SECURITY log message or a corresponding event when something 'bad' happens, that would be worth some additional discussion. If anything, the events can be a bit chatty...
> 
>  
>  -----Original Message-----
>  From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy
>  Sent: Wednesday, August 29, 2018 6:33 PM
>  To: asterisk-users at lists.digium.com
>  Subject: Re: [asterisk-users] getting invites to rtp ports ??
> 
>  On 08/29/2018 11:59 AM, Telium Support Group wrote:
>  > Block a single IP is the wrong approach (whack-a-mole).  You should consider a more comprehensive approach to securing your VoIP environment.  Have a look at this wiki:
>  > 
>  > https://www.voip-info.org/asterisk-security/
>  > 
>  > 
>  > 
>  > -----Original Message-----
>  > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] 
>  > On Behalf Of sean darcy
>  > Sent: Wednesday, August 29, 2018 10:46 AM
>  > To: asterisk-users at lists.digium.com
>  > Subject: Re: [asterisk-users] getting invites to rtp ports ??
>  > 
>  > On 08/29/2018 09:42 AM, Carlos Rojas wrote:
>  >> Hi
>  >>
>  >> Probably somebody is trying to hack your system, you should block 
>  >> that ip on your firewall.
>  >>
>  >> Regards
>  >>
>  >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com 
>  >> <mailto:seandarcy2 at gmail.com>> wrote:
>  >>
>  >>      I'm getting invites to very high ports every 30 seconds from a
>  >>      particular ip address:
>  >>
>  >>      Retransmitting #10 (NAT) to 5.199.133.128:52734
>  >>      <http://5.199.133.128:52734>:
>  >>      SIP/2.0 401 Unauthorized
>  >>      Via: SIP/2.0/UDP
>  >>      0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
>  >>      From: <sip:37120116780191250 at 67.80.191.250
>  >>      <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972
>  >>      To: <sip:3712011972592181418 at 67.80.191.250
>  >>      <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748
>  >>      Call-ID: 1504207870-295758084-609228182
>  >>      CSeq: 1 INVITE
>  >>      .......
>  >>      WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
>  >>      1504207870-295758084-609228182...
>  >>
>  >>      I thought invites had to go to port 5060 or so. I don't understand
>  >>      why somebody (let's assume a bad guy) is trying ports above 50000.
>  >>
>  >>      sean
>  >>
>  >>
>  > 
>  > Ok, so the high port is not the destination port but the source port.
>  > 
>  > So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip:
>  > 
>  > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from 
>  > %s.\n",
>  > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
>  > 
>  > With that in the log, I'm now blocking the ip addresses.
>  > 
>  > Thanks,
>  > sean
>  > 
>  > 
>  > --
>  > _____________________________________________________________________
>  > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>  > 
>  > Astricon is coming up October 9-11!  Signup is available at: 
>  > https://www.asterisk.org/community/astricon-user-conference
>  > 
>  > Check out the new Asterisk community forum at: 
>  > https://community.asterisk.org/
>  > 
> 
>  I agree. That's why I hacked chan_sip.c to get the addresses in the log.
> 
>  I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites".
> 
>  sean
> 
>  --
>  _____________________________________________________________________
>  -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
>  Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> 
>  Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
>  New to Asterisk? Start here:
>        https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
>  asterisk-users mailing list
>  To UNSUBSCRIBE or update options visit:
>     http://lists.digium.com/mailman/listinfo/asterisk-users
> 
>  -- 
>  _____________________________________________________________________
>  -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
>  Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> 
>  Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
>  New to Asterisk? Start here:
>        https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
>  asterisk-users mailing list
>  To UNSUBSCRIBE or update options visit:
>     http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> -- 
> Matthew Jordan
> Digium, Inc. | CTO
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> Check us out at: http://digium.com & http://asterisk.org
> [2  <text/plain; utf-8 (base64)>]
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici wb2una
         covici at ccs.covici.com

More information about the asterisk-users mailing list