<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Thu, Aug 30, 2018 at 6:02 AM John Covici <<a href="mailto:covici@ccs.covici.com">covici@ccs.covici.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I agree, but is it possible to try over and over with anything other<br>
than the challenge warning in the security log as sean suggested and<br>
put a patch for?<br></blockquote><div><br></div><div>I don't think I understand your question.</div><div><br></div><div>You shouldn't need a patch if you are using the SECURITY log. The thread above is suggesting patching the source code to hijack a WARNING message for the purposes of tracing security information; my point is that you should have a specific SECURITY log message that already serves that purpose.<br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On Wed, 29 Aug 2018 22:52:05 -0400,<br>
Matthew Jordan wrote:<br>
> <br>
> [1 <multipart/alternative (7bit)>]<br>
> [1.1 <text/plain; UTF-8 (7bit)>]<br>
> [1.2 <text/html; UTF-8 (quoted-printable)>]<br>
> On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <<a href="mailto:support@telium.ca" target="_blank">support@telium.ca</a>> wrote:<br>
> <br>
> Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may<br>
> prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing.<br>
> <br>
> Digium warns not to use fail2ban / log trolling as a security system: <a href="http://forums.asterisk.org/viewtopic.php?p=159984" rel="noreferrer" target="_blank">http://forums.asterisk.org/viewtopic.php?p=159984</a><br>
> <br>
> That's some pretty old advice.<br>
> <br>
> The rationale for *not* using general log messages with fail2ban still stands: the general WARNING/NOTICE/etc. log messages are subject to change between versions, and no one wants that to impact someone's security. So you should not use<br>
> those messages as input into fail2ban.<br>
> <br>
> That rationale did lead to the 'security' event type in log messages. Security Event Logging - as it is called - got added into Asterisk quite some time ago. So long ago I'm really not sure which version. At a minimum, Asterisk 11, but<br>
> I'm pretty sure it was in 10 as well.<br>
> <br>
> Documentation for it can be found here:<br>
> <br>
> <a href="https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger</a><br>
> <br>
> And here:<br>
> <br>
> <a href="https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration</a><br>
> <br>
> Note that this also fires off AMI events (and ARI events, IIRC).<br>
> <br>
> If, for whatever reason, you do not get a SECURITY log message or a corresponding event when something 'bad' happens, that would be worth some additional discussion. If anything, the events can be a bit chatty...<br>
> <br>
> <br>
> -----Original Message-----<br>
> From: asterisk-users [mailto:<a href="mailto:asterisk-users-bounces@lists.digium.com" target="_blank">asterisk-users-bounces@lists.digium.com</a>] On Behalf Of sean darcy<br>
> Sent: Wednesday, August 29, 2018 6:33 PM<br>
> To: <a href="mailto:asterisk-users@lists.digium.com" target="_blank">asterisk-users@lists.digium.com</a><br>
> Subject: Re: [asterisk-users] getting invites to rtp ports ??<br>
> <br>
> On 08/29/2018 11:59 AM, Telium Support Group wrote:<br>
> > Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki:<br>
> > <br>
> > <a href="https://www.voip-info.org/asterisk-security/" rel="noreferrer" target="_blank">https://www.voip-info.org/asterisk-security/</a><br>
> > <br>
> > <br>
> > <br>
> > -----Original Message-----<br>
> > From: asterisk-users [mailto:<a href="mailto:asterisk-users-bounces@lists.digium.com" target="_blank">asterisk-users-bounces@lists.digium.com</a>] <br>
> > On Behalf Of sean darcy<br>
> > Sent: Wednesday, August 29, 2018 10:46 AM<br>
> > To: <a href="mailto:asterisk-users@lists.digium.com" target="_blank">asterisk-users@lists.digium.com</a><br>
> > Subject: Re: [asterisk-users] getting invites to rtp ports ??<br>
> > <br>
> > On 08/29/2018 09:42 AM, Carlos Rojas wrote:<br>
> >> Hi<br>
> >><br>
> >> Probably somebody is trying to hack your system, you should block <br>
> >> that ip on your firewall.<br>
> >><br>
> >> Regards<br>
> >><br>
> >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <<a href="mailto:seandarcy2@gmail.com" target="_blank">seandarcy2@gmail.com</a> <br>
> >> <mailto:<a href="mailto:seandarcy2@gmail.com" target="_blank">seandarcy2@gmail.com</a>>> wrote:<br>
> >><br>
> >> I'm getting invites to very high ports every 30 seconds from a<br>
> >> particular ip address:<br>
> >><br>
> >> Retransmitting #10 (NAT) to <a href="http://5.199.133.128:52734" rel="noreferrer" target="_blank">5.199.133.128:52734</a><br>
> >> <<a href="http://5.199.133.128:52734" rel="noreferrer" target="_blank">http://5.199.133.128:52734</a>>:<br>
> >> SIP/2.0 401 Unauthorized<br>
> >> Via: SIP/2.0/UDP<br>
> >> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734<br>
> >> From: <<a href="mailto:sip%3A37120116780191250@67.80.191.250" target="_blank">sip:37120116780191250@67.80.191.250</a><br>
> >> <mailto:<a href="mailto:sip%253A37120116780191250@67.80.191.250" target="_blank">sip%3A37120116780191250@67.80.191.250</a>>>;tag=1872048972<br>
> >> To: <<a href="mailto:sip%3A3712011972592181418@67.80.191.250" target="_blank">sip:3712011972592181418@67.80.191.250</a><br>
> >> <mailto:<a href="mailto:sip%253A3712011972592181418@67.80.191.250" target="_blank">sip%3A3712011972592181418@67.80.191.250</a>>>;tag=as3a52e748<br>
> >> Call-ID: 1504207870-295758084-609228182<br>
> >> CSeq: 1 INVITE<br>
> >> .......<br>
> >> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on<br>
> >> 1504207870-295758084-609228182...<br>
> >><br>
> >> I thought invites had to go to port 5060 or so. I don't understand<br>
> >> why somebody (let's assume a bad guy) is trying ports above 50000.<br>
> >><br>
> >> sean<br>
> >><br>
> >><br>
> > <br>
> > Ok, so the high port is not the destination port but the source port.<br>
> > <br>
> > So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip:<br>
> > <br>
> > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from <br>
> > %s.\n",<br>
> > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));<br>
> > <br>
> > With that in the log, I'm now blocking the ip addresses.<br>
> > <br>
> > Thanks,<br>
> > sean<br>
> > <br>
> > <br>
> > --<br>
> > _____________________________________________________________________<br>
> > -- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
> > <br>
> > Astricon is coming up October 9-11! Signup is available at: <br>
> > <a href="https://www.asterisk.org/community/astricon-user-conference" rel="noreferrer" target="_blank">https://www.asterisk.org/community/astricon-user-conference</a><br>
> > <br>
> > Check out the new Asterisk community forum at: <br>
> > <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org/</a><br>
> > <br>
> <br>
> I agree. That's why I hacked chan_sip.c to get the addresses in the log.<br>
> <br>
> I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites".<br>
> <br>
> sean<br>
> <br>
> --<br>
> _____________________________________________________________________<br>
> -- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
> <br>
> Astricon is coming up October 9-11! Signup is available at: <a href="https://www.asterisk.org/community/astricon-user-conference" rel="noreferrer" target="_blank">https://www.asterisk.org/community/astricon-user-conference</a><br>
> <br>
> Check out the new Asterisk community forum at: <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org/</a><br>
> <br>
> New to Asterisk? Start here:<br>
> <a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Getting+Started</a><br>
> <br>
> asterisk-users mailing list<br>
> To UNSUBSCRIBE or update options visit:<br>
> <a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
> <br>
> -- <br>
> _____________________________________________________________________<br>
> -- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
> <br>
> Astricon is coming up October 9-11! Signup is available at: <a href="https://www.asterisk.org/community/astricon-user-conference" rel="noreferrer" target="_blank">https://www.asterisk.org/community/astricon-user-conference</a><br>
> <br>
> Check out the new Asterisk community forum at: <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org/</a><br>
> <br>
> New to Asterisk? Start here:<br>
> <a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Getting+Started</a><br>
> <br>
> asterisk-users mailing list<br>
> To UNSUBSCRIBE or update options visit:<br>
> <a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
> <br>
> -- <br>
> Matthew Jordan<br>
> Digium, Inc. | CTO<br>
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA<br>
> Check us out at: <a href="http://digium.com" rel="noreferrer" target="_blank">http://digium.com</a> & <a href="http://asterisk.org" rel="noreferrer" target="_blank">http://asterisk.org</a><br>
> [2 <text/plain; utf-8 (base64)>]<br>
> -- <br>
> _____________________________________________________________________<br>
> -- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
> <br>
> Astricon is coming up October 9-11! Signup is available at: <a href="https://www.asterisk.org/community/astricon-user-conference" rel="noreferrer" target="_blank">https://www.asterisk.org/community/astricon-user-conference</a><br>
> <br>
> Check out the new Asterisk community forum at: <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org/</a><br>
> <br>
> New to Asterisk? Start here:<br>
> <a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Getting+Started</a><br>
> <br>
> asterisk-users mailing list<br>
> To UNSUBSCRIBE or update options visit:<br>
> <a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
<br>
-- <br>
Your life is like a penny. You're going to lose it. The question is:<br>
How do<br>
you spend it?<br>
<br>
John Covici wb2una<br>
<a href="mailto:covici@ccs.covici.com" target="_blank">covici@ccs.covici.com</a><br>
<br>
-- <br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
Astricon is coming up October 9-11! Signup is available at: <a href="https://www.asterisk.org/community/astricon-user-conference" rel="noreferrer" target="_blank">https://www.asterisk.org/community/astricon-user-conference</a><br>
<br>
Check out the new Asterisk community forum at: <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org/</a><br>
<br>
New to Asterisk? Start here:<br>
<a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Getting+Started</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a></blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Matthew Jordan<br>Digium, Inc. | CTO<br>445 Jan Davis Drive NW - Huntsville, AL 35806 - USA<br>Check us out at: <a href="http://digium.com" target="_blank">http://digium.com</a> & <a href="http://asterisk.org" target="_blank">http://asterisk.org</a></div></div>