[asterisk-users] Decoding SIP register hack

sean darcy seandarcy2 at gmail.com
Thu May 17 11:27:17 CDT 2018


On 05/17/2018 11:38 AM, Frank Vanoni wrote:
> On Thu, 2018-05-17 at 11:18 -0400, sean darcy wrote:
> 
>> 3. How do I set up the server to block these ?
>>
>> 4. Can I stop the retransmitting of the 401 Unauthorized packets ?
> 
> I'm happy with Fail2Ban protecting my Asterisk 13. Here is my
> configuration:
> 
> in /etc/asterisk/logger.conf:
> 
> messages => security,notice,warning,error
> 
> 
> in /etc/asterisk/sip.conf:
> 
> allowguest=yes
> context=unauthenticated
> 
> 
> in /etc/asterisk/extensions.conf:
> 
> [unauthenticated]
> ;; Incomming calls from unauthenticated caller -> Fail2Ban
> exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')
> exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
> exten => _X.,3,HangUp()
> 
> exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')
> exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
> exten => _+X.,3,HangUp()
> 
> 
> 
> in /etc/fail2ban/jail.conf:
> 
> [asterisk]
> filter   = asterisk
> action = iptables-allports[name=ASTERISK]
> logpath  = /var/log/asterisk/messages
> maxretry = 1
> findtime = 86400
> bantime  = 518400
> enabled = true
> 
> 
> in /etc/fail2ban/filter.d
> 
> # Fail2Ban configuration file
> #
> #
> # $Revision: 250 $
> #
> 
> [INCLUDES]
> 
> # Read common prefixes. If any customizations available -- read them
> from
> # common.local
> #before = common.conf
> 
> 
> [Definition]
> 
> #_daemon = asterisk
> 
> # Option:  failregex
> # Notes.:  regex to match the password failures messages in the
> logfile. The
> #          host must be matched by a group named "host". The tag
> "<HOST>" can
> #          be used for standard IP/hostname matching and is only an
> alias for
> #          (?:::f{4,6}:)?(?P<host>\S+)
> # Values:  TEXT
> #
> failregex = 	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Wrong password
> 		NOTICE.* .*: Call from '.*' \(<HOST>(:[0-9]{1,5})?\) to
> extension '.*' rejected because extension not found in context
> 'unauthenticated'
> 		NOTICE.* chan_sip.c: Call from '.*' \(<HOST>(:[0-
> 9]{1,5})?\) to extension '.*' rejected because extension not found in
> context 'unauthenticated'
>          	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Username/auth name mismatch
>          	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - No matching peer found
>          	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Not a local domain
>          	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Peer is not supposed to register
>          	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Device does not match ACL
>          	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Device not configured to use this transport type
>          	NOTICE.* .*: No registration for peer '.*' \(from
> <HOST>\)
>          	NOTICE.* .*: Host <HOST> failed MD5 authentication for
> '.*' \(.*\)
>          	NOTICE.* .*: Host <HOST> denied access to register peer
> '.*'
>          	NOTICE.* .*: Host <HOST> did not provide proper
> plaintext password for '.*'
>          	NOTICE.* .*: Registration of '.*' rejected: '.*' from:
> '<HOST>'
>          	NOTICE.* .*: Peer '.*' is not dynamic (from <HOST>)
>          	NOTICE.* .*: Host <HOST> denied access to register peer
> '.*'
>          	SECURITY.* .*:
> SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem
> oteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
>          	SECURITY.* .*:
> SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr
> ess="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
>          	SECURITY.* .*:
> SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo
> teAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
>          	SECURITY.* .*:
> SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP
> ".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
> 		VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-
> noservice' \(language '.*'\)
> 		SECURITY.* .*:
> SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP".
> *,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL
> S)/<HOST>/[0-9]+
> 		WARNING.* .*: fail2ban='<HOST>'
> 
> # Option:  ignoreregex
> # Notes.:  regex to ignore. If this regex matches, the line is ignored.
> # Values:  TEXT
> #
> ignoreregex =
> 
> 
Thanks. Very useful as a tutorial for fail2ban.

But I don't think it covers this SIP hack. This guy isn't trying to 
register. That why I find it puzzling. What is he trying to do ?

sean




More information about the asterisk-users mailing list