<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6002.18357" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN class=610173415-15032011>Why do attacks from
the Internet get shown in the Asterisk logs with <SPAN
class=610173415-15032011>myAsteriskServerIP instead of the attacker's IP?!
Really useful for blocking them, that is...
Example:</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=610173415-15032011><SPAN
class=610173415-15032011></SPAN></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2>[Mar 6 00:00:00] NOTICE[1926] chan_sip.c:
Failed to authenticate user 5550000<sip:5550000@<SPAN
class=610173415-15032011>myAsteriskServerIP</SPAN>>;tag=ab8537ae</FONT></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>(I replaced our IP
address with <SPAN class=610173415-15032011>myAsteriskServerIP. The
attacks are <EM>not</EM> coming from itself!) </SPAN>This affects e.g.
Asterisk 1.4.24, 1.6.0.22 and 1.8.0</FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>Ref: <A
href="http://forums.digium.com/viewtopic.php?t=74947">http://forums.digium.com/viewtopic.php?t=74947</A></FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>Ref: <A
href="http://forums.digium.com/viewtopic.php?f=1&t=77070">http://forums.digium.com/viewtopic.php?f=1&t=77070</A></FONT></SPAN></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>Similar messages
from those threads (1 line each):</FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><SPAN style="FONT-STYLE: italic"><SPAN
style="FONT-STYLE: italic">-- Executing [123456@from-sip-external:1]
NoOp("SIP/mypbx.com-00000751", "Received incoming SIP connection from unknown
peer to 123456") in new stack</SPAN></SPAN></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><SPAN
style="FONT-STYLE: italic"></SPAN></SPAN> </DIV>
<DIV><SPAN class=610173415-15032011><SPAN style="FONT-STYLE: italic">Aug 7
23:32:03 mypbx asterisk[3686]: NOTICE[27307]: chan_sip.c:18047 in
handle_request_invite: Failed to authenticate user
<sip:165411@mypbx.com>;tag=1660ec63 <BR><BR>Aug 8 00:03:50 mypbx
asterisk[3686]: NOTICE[27307]: chan_sip.c:18044 in handle_request_invite:
Sending fake auth rejection for user <sip:165499@mypbx.com>;tag=e6786d03
</SPAN></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><SPAN
style="FONT-STYLE: italic"></SPAN></SPAN> </DIV>
<DIV><SPAN class=610173415-15032011><FONT face="Courier New">NOTICE[2578]:
chan_sip.c:21250 handle_request_invite: Sending fake auth rejection for device
"w"<sip:user@asterisk-ip;transport=UDP>;tag=8f2b8d05</FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT
face="Courier New"></FONT></SPAN> </DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>So there are at
least 3 different SIP messages where the IP address is not logged, 2 of which do
not seem to have a work-around like:</FONT></SPAN></DIV>
<DIV><SPAN
class=610173415-15032011>alwaysauthreject=yes<BR>allowguest=no</SPAN></DIV>
<DIV><SPAN class=610173415-15032011>The above works around the unknown peer
issue, but that really be logging the IP address too!</SPAN></DIV>
<DIV><SPAN class=610173415-15032011></SPAN> </DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>Those two or three
users on the forums and I would like to use Fail2Ban with Asterisk to block
hackers...</FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2><A
href="http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk">http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk</A></FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>... and I expect
others would appreciate logging hackers' IP addresses too!</FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>It is also useful
for debugging purposes when setting up users to have their IP addresses
too.</FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>Is there any known
solution or patch available?</FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>Unpatched, I
consider this a security vulnerability, because, even if one uses filthy
passwords, it can cause a DOS and fill up your log files and your disk until
there is no space left. The only solution to avoid that is to bock the
attackers quickly (or have something to manage your logs, or not log it I
guess). I've got about 1 GB worth of attacks in my logs from 2 weeks on 1
server...</FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>Based on the output
in this issue:</FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2><A
href="https://issues.asterisk.org/view.php?id=18334">https://issues.asterisk.org/view.php?id=18334</A></FONT></SPAN></DIV>
<DIV><SPAN class=610173415-15032011><FONT face=Arial size=2>it looks like the
issue remains in 1.6.2.14 and 1.8.0...</FONT></SPAN></DIV><!-- Converted from text/rtf format -->
<P><SPAN lang=en-gb><FONT face=Arial size=2>Kind regards,</FONT></SPAN> </P>
<P><SPAN lang=en-gb><SPAN class=610173415-15032011><FONT face=Arial><FONT
size=2>SebA<BR><SPAN
class=584282311-17032011> </SPAN></FONT></FONT></SPAN></SPAN></P></BODY></HTML>