[asterisk-users] Decoding SIP register hack

Frank Vanoni mailinglist at linuxista.com
Thu May 17 10:38:18 CDT 2018


On Thu, 2018-05-17 at 11:18 -0400, sean darcy wrote:

> 3. How do I set up the server to block these ?
> 
> 4. Can I stop the retransmitting of the 401 Unauthorized packets ?

I'm happy with Fail2Ban protecting my Asterisk 13. Here is my
configuration:

in /etc/asterisk/logger.conf:

messages => security,notice,warning,error


in /etc/asterisk/sip.conf:

allowguest=yes
context=unauthenticated


in /etc/asterisk/extensions.conf:

[unauthenticated]
;; Incomming calls from unauthenticated caller -> Fail2Ban
exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') 
exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _X.,3,HangUp()

exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') 
exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _+X.,3,HangUp()



in /etc/fail2ban/jail.conf:

[asterisk]
filter   = asterisk
action = iptables-allports[name=ASTERISK]
logpath  = /var/log/asterisk/messages
maxretry = 1
findtime = 86400
bantime  = 518400
enabled = true


in /etc/fail2ban/filter.d

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them
from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the
logfile. The
#          host must be matched by a group named "host". The tag
"<HOST>" can
#          be used for standard IP/hostname matching and is only an
alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = 	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Wrong password
		NOTICE.* .*: Call from '.*' \(<HOST>(:[0-9]{1,5})?\) to
extension '.*' rejected because extension not found in context
'unauthenticated'
		NOTICE.* chan_sip.c: Call from '.*' \(<HOST>(:[0-
9]{1,5})?\) to extension '.*' rejected because extension not found in
context 'unauthenticated'
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Username/auth name mismatch
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - No matching peer found
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Not a local domain
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Peer is not supposed to register
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Device does not match ACL
        	NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Device not configured to use this transport type
        	NOTICE.* .*: No registration for peer '.*' \(from
<HOST>\)
        	NOTICE.* .*: Host <HOST> failed MD5 authentication for
'.*' \(.*\)
        	NOTICE.* .*: Host <HOST> denied access to register peer
'.*'
        	NOTICE.* .*: Host <HOST> did not provide proper
plaintext password for '.*'
        	NOTICE.* .*: Registration of '.*' rejected: '.*' from:
'<HOST>'
        	NOTICE.* .*: Peer '.*' is not dynamic (from <HOST>)
        	NOTICE.* .*: Host <HOST> denied access to register peer
'.*'
        	SECURITY.* .*:
SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem
oteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
        	SECURITY.* .*:
SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr
ess="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
        	SECURITY.* .*:
SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo
teAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
        	SECURITY.* .*:
SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP
".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
		VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-
noservice' \(language '.*'\)
		SECURITY.* .*:
SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP".
*,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL
S)/<HOST>/[0-9]+
		WARNING.* .*: fail2ban='<HOST>'

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =




More information about the asterisk-users mailing list