[asterisk-users] Security AccountID unknown - PJSIP
Joshua C. Colp
jcolp at digium.com
Mon Sep 30 04:45:47 CDT 2019
On Fri, Sep 27, 2019, at 11:31 AM, Administrator TOOTAI wrote:
> Hi list,
>
> I would like to now what is the sense of such type of entry in security.log
>
> [2019-09-27 15:12:24] SECURITY[26964] res_security_log.c:
> SecurityEvent="ChallengeSent",EventTV="2019-09-27T15:12:24.181+0200",Severity="Informational",Servic
> e="PJSIP",EventVersion="1",AccountID="<unknown>",
> SessionID="56b0ca9-d967a90d16411209-a1b0fae1 at 188.165.222.17",LocalAddress="IPV4/UDP/<MyAddress>/5060",
> RemoteAddress="IPV4/UDP/<attackerIP>/5213",Challenge=""
>
> We have a lot of such tries coming from IPs not allowed and fail2ban
> fail to ban them because of SecurityEvent not treated and Severity
> Informational.
>
> We add a fail2ban filter to ban those IPs which is OK on our side but
> also means that attacker knows that account is not existing.
>
> Any comment appreciate
SIP uses a challenge/response mechanism for authentication. The above indicates that a challenge was sent. The remote side is under no obligation to retry with authentication and may choose not to. If they did and failed another message would occur.
--
Joshua C. Colp
Digium - A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-users
mailing list