[asterisk-users] getting invites to rtp ports ??

John Covici covici at ccs.covici.com
Thu Aug 30 05:08:21 CDT 2018 

Also, if you have extensions which are external and you don't know
their ip addresses.

On Thu, 30 Aug 2018 05:51:56 -0400,
norbert wrote:
> 
> [1  <multipart/alternative (7bit)>]
> [1.1  <text/plain; utf-8 (base64)>]
> [1.2  <text/html; utf-8 (base64)>]
> Hello Hans, 
> 
> maybe I don't rember SIP & Asterisk well, but I THINK it's absolutely possible to place a call from one Asterisk Server to another one without at SIP Provider in between.
> 
> Imagine a (big) company with branches running a server at every site.
> 
> But maybe I'm wrong....
> 
> But for other setups you're right. For example, on my asterisk machine firewall is closed except the (few) IP adresses my SIP provider told me
> 
> Norbert
> 
> -------- Ursprüngliche Nachricht --------
> Von: asterisk at a-domani.nl 
> Datum: 30.08.18 12:04 (GMT+02:00) 
> An: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> 
> Betreff: Re: [asterisk-users] getting invites to rtp ports ?? 
> 
> Regarding this thread,
> I was wondering, why would anybody opens his firewall (for incoming 
> traffic), for anybody else, besides his own SIP-provider?
> 
> Isn't that the proper way for having your firewall configured: always, 
> by default closed, unless explicitly required.
> (but perhaps I'm missing a legitimate use-case)
> 
> Hans
> 
> On 2018-08-30 04:52, Matthew Jordan wrote:
> > On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group
> > <support at telium.ca> wrote:
> > 
> >> Depending on log trolling (Asterisk security log) misses a lot, and
> >> also depends on the SIP/PJSIP folks to not change message structure
> >> (which has already happened numerous time).  If  you are comfortable
> >> hacking chan_sip.c you may prefer to get the same messages from the
> >> AMI.  It still misses a lot but that approach is better than
> >> nothing.
> >> 
> >> Digium warns not to use fail2ban / log trolling as a security
> >> system: http://forums.asterisk.org/viewtopic.php?p=159984
> > 
> > That's some pretty old advice.
> > 
> > The rationale for *not* using general log messages with fail2ban still
> > stands: the general WARNING/NOTICE/etc. log messages are subject to
> > change between versions, and no one wants that to impact someone's
> > security. So you should not use those messages as input into fail2ban.
> > 
> > That rationale did lead to the 'security' event type in log messages.
> > Security Event Logging - as it is called - got added into Asterisk
> > quite some time ago. So long ago I'm really not sure which version. At
> > a minimum, Asterisk 11, but I'm pretty sure it was in 10 as well.
> > 
> > Documentation for it can be found here:
> > 
> > https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
> > 
> > And here:
> > 
> > https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration
> > 
> > Note that this also fires off AMI events (and ARI events, IIRC).
> > 
> > If, for whatever reason, you do not get a SECURITY log message or a
> > corresponding event when something 'bad' happens, that would be worth
> > some additional discussion. If anything, the events can be a bit
> > chatty...
> > 
> >> -----Original Message-----
> >> From: asterisk-users
> >> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean
> >> darcy
> >> Sent: Wednesday, August 29, 2018 6:33 PM
> >> To: asterisk-users at lists.digium.com
> >> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> >> 
> >> On 08/29/2018 11:59 AM, Telium Support Group wrote:
> >>> Block a single IP is the wrong approach (whack-a-mole).  You
> >> should consider a more comprehensive approach to securing your VoIP
> >> environment.  Have a look at this wiki:
> >>> 
> >>> https://www.voip-info.org/asterisk-security/
> >>> 
> >>> 
> >>> 
> >>> -----Original Message-----
> >>> From: asterisk-users
> >> [mailto:asterisk-users-bounces at lists.digium.com]
> >>> On Behalf Of sean darcy
> >>> Sent: Wednesday, August 29, 2018 10:46 AM
> >>> To: asterisk-users at lists.digium.com
> >>> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> >>> 
> >>> On 08/29/2018 09:42 AM, Carlos Rojas wrote:
> >>>> Hi
> >>>> 
> >>>> Probably somebody is trying to hack your system, you should block
> >> 
> >>>> that ip on your firewall.
> >>>> 
> >>>> Regards
> >>>> 
> >>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com
> >> 
> >>>> <mailto:seandarcy2 at gmail.com>> wrote:
> >>>> 
> >>>> I'm getting invites to very high ports every 30 seconds from
> >> a
> >>>> particular ip address:
> >>>> 
> >>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 [1]
> >>>> <http://5.199.133.128:52734>:
> >>>> SIP/2.0 401 Unauthorized
> >>>> Via: SIP/2.0/UDP
> >>>> 
> >> 
> > 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
> >>>> From: <sip:37120116780191250 at 67.80.191.250
> >>>> 
> >> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972
> >>>> To: <sip:3712011972592181418 at 67.80.191.250
> >>>> 
> >> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748
> >>>> Call-ID: 1504207870-295758084-609228182
> >>>> CSeq: 1 INVITE
> >>>> .......
> >>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
> >>>> 1504207870-295758084-609228182...
> >>>> 
> >>>> I thought invites had to go to port 5060 or so. I don't
> >> understand
> >>>> why somebody (let's assume a bad guy) is trying ports above
> >> 50000.
> >>>> 
> >>>> sean
> >>>> 
> >>>> 
> >>> 
> >>> Ok, so the high port is not the destination port but the source
> >> port.
> >>> 
> >>> So I hacked the log warning in chan_sip.c on non-critical invites
> >> to show the source ip:
> >>> 
> >>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
> >>> %s.\n",
> >>> 
> >> 
> > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> >>> 
> >>> With that in the log, I'm now blocking the ip addresses.
> >>> 
> >>> Thanks,
> >>> sean
> >>> 
> >>> 
> >>> --
> >>> 
> >> 
> > _____________________________________________________________________
> >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
> >> --
> >>> 
> >>> Astricon is coming up October 9-11!  Signup is available at:
> >>> https://www.asterisk.org/community/astricon-user-conference
> >>> 
> >>> Check out the new Asterisk community forum at:
> >>> https://community.asterisk.org/
> >>> 
> >> 
> >> I agree. That's why I hacked chan_sip.c to get the addresses in the
> >> log.
> >> 
> >> I'm surprised they're not in the log by default. I must be the only
> >> person who gets these "non-critical invites".
> >> 
> >> sean
> >> 
> >> --
> >> 
> > _____________________________________________________________________
> >> -- Bandwidth and Colocation Provided by http://www.api-digital.com
> >> --
> >> 
> >> Astricon is coming up October 9-11!  Signup is available at:
> >> https://www.asterisk.org/community/astricon-user-conference
> >> 
> >> Check out the new Asterisk community forum at:
> >> https://community.asterisk.org/
> >> 
> >> New to Asterisk? Start here:
> >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> >> 
> >> asterisk-users mailing list
> >> To UNSUBSCRIBE or update options visit:
> >> http://lists.digium.com/mailman/listinfo/asterisk-users
> >> 
> >> --
> >> 
> > _____________________________________________________________________
> >> -- Bandwidth and Colocation Provided by http://www.api-digital.com
> >> --
> >> 
> >> Astricon is coming up October 9-11!  Signup is available at:
> >> https://www.asterisk.org/community/astricon-user-conference
> >> 
> >> Check out the new Asterisk community forum at:
> >> https://community.asterisk.org/
> >> 
> >> New to Asterisk? Start here:
> >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> >> 
> >> asterisk-users mailing list
> >> To UNSUBSCRIBE or update options visit:
> >> http://lists.digium.com/mailman/listinfo/asterisk-users
> > 
> > --
> > Matthew Jordan
> > Digium, Inc. | CTO
> > 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> > Check us out at: http://digium.com & http://asterisk.org
> > 
> > Links:
> > ------
> > [1] http://5.199.133.128:52734
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> [2  <text/plain; utf-8 (base64)>]
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici wb2una
         covici at ccs.covici.com

More information about the asterisk-users mailing list