[asterisk-users] Decoding SIP register hack
Frank Vanoni
mailinglist at linuxista.com
Thu May 17 10:38:18 CDT 2018
On Thu, 2018-05-17 at 11:18 -0400, sean darcy wrote:
> 3. How do I set up the server to block these ?
>
> 4. Can I stop the retransmitting of the 401 Unauthorized packets ?
I'm happy with Fail2Ban protecting my Asterisk 13. Here is my
configuration:
in /etc/asterisk/logger.conf:
messages => security,notice,warning,error
in /etc/asterisk/sip.conf:
allowguest=yes
context=unauthenticated
in /etc/asterisk/extensions.conf:
[unauthenticated]
;; Incomming calls from unauthenticated caller -> Fail2Ban
exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')
exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _X.,3,HangUp()
exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')
exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _+X.,3,HangUp()
in /etc/fail2ban/jail.conf:
[asterisk]
filter = asterisk
action = iptables-allports[name=ASTERISK]
logpath = /var/log/asterisk/messages
maxretry = 1
findtime = 86400
bantime = 518400
enabled = true
in /etc/fail2ban/filter.d
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them
from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the
logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Wrong password
NOTICE.* .*: Call from '.*' \(<HOST>(:[0-9]{1,5})?\) to
extension '.*' rejected because extension not found in context
'unauthenticated'
NOTICE.* chan_sip.c: Call from '.*' \(<HOST>(:[0-
9]{1,5})?\) to extension '.*' rejected because extension not found in
context 'unauthenticated'
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Not a local domain
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Device not configured to use this transport type
NOTICE.* .*: No registration for peer '.*' \(from
<HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for
'.*' \(.*\)
NOTICE.* .*: Host <HOST> denied access to register peer
'.*'
NOTICE.* .*: Host <HOST> did not provide proper
plaintext password for '.*'
NOTICE.* .*: Registration of '.*' rejected: '.*' from:
'<HOST>'
NOTICE.* .*: Peer '.*' is not dynamic (from <HOST>)
NOTICE.* .*: Host <HOST> denied access to register peer
'.*'
SECURITY.* .*:
SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem
oteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
SECURITY.* .*:
SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr
ess="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
SECURITY.* .*:
SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo
teAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
SECURITY.* .*:
SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP
".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-
noservice' \(language '.*'\)
SECURITY.* .*:
SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP".
*,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL
S)/<HOST>/[0-9]+
WARNING.* .*: fail2ban='<HOST>'
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
More information about the asterisk-users
mailing list