Asterisk not logging originating IP of a brute force attack

Get help with installing, upgrading and running Asterisk.

Moderators: muppetmaster, Moderator, Support

Asterisk not logging originating IP of a brute force attack

Postby frutza » Thu Feb 10, 2011 9:33 am

I am running Asterisk 1.8 and have the following problem (which also happened with 1.6 in the past)

My Asterisk box was under a brute force attack which went unnoticed for a few months.
The only result of the attack was that they identified a valid SIP username (denoted user in the log entry below).
Now they are trying to brute force the password for this user.

To prevent this (and other brute force attacks) I have installed and configured fail2ban. It works nicely and prevents about 2 SSH attacks per day.

Unfortunately, it does not do anything to prevent the SIP attacks, because Asterisk is not logging the originating IP address of the brute force attack. The log entries in messages & full are:

Code: Select all
NOTICE[2578]: chan_sip.c:21250 handle_request_invite: Sending fake auth rejection for device "w"<sip:user@asterisk-ip;transport=UDP>;tag=8f2b8d05


...where user is the valid username they were able to find via brute force and asterisk-ip is MY IP address, not the attacker's. Obviously, based on this log entry, fail2ban cannot create an iptables rule to block further attacks.

Although I did some research on this (and some other people seem to have reported the same problem) I could not find a solution.

Many thanks in advance for all the help I will get!
frutza
Newsterisk
 
Posts: 4
Joined: Thu Feb 10, 2011 9:20 am

Re: Asterisk not logging originating IP of a brute force attack

Postby david55 » Fri Feb 11, 2011 9:24 am

This would, arguably, be considered a new feature request, so you need to write a patch against the trunk SVN version and submit it. I imagine it is quite easy to add the IP address to this message, by changing the source code - cut and paste coding is probably enough.

Note that I doubt that any of the log messages represent a guaranteed interface to asterisk. Whilst this means it would be OK to change the message, it also means that you have no comeback if there are incompatible changes in any message in furture.
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am

Re: Asterisk not logging originating IP of a brute force attack

Postby frutza » Fri Feb 11, 2011 12:16 pm

Thank you david55!

If I understand your answer correctly, this is not a bug or a misconfiguration of the logging mechanism but expected behavior. However, I am not sure if Asterisk 1.4 was doing the same thing, or it was including the IP. Do you think that using 1.4 would solve the problem?
frutza
Newsterisk
 
Posts: 4
Joined: Thu Feb 10, 2011 9:20 am

Re: Asterisk not logging originating IP of a brute force attack

Postby thor » Wed Jul 06, 2011 11:21 am

This would, arguably, be considered a new feature request, so you need to write a patch against the trunk SVN version and submit it.


A new feature request ? Is this a joke ? Asterisk can be bruteforced to pieces and nothing shows in the logs and you are asking the user to write a patch for it ?
thor
Oldsterisk
 
Posts: 238
Joined: Thu Mar 18, 2010 12:19 pm

Re: Asterisk not logging originating IP of a brute force attack

Postby roderickm » Wed Jul 13, 2011 2:42 pm

There are two issues discussed here.

The first is that in the past, Asterisk 1.4 and 1.6.2 responded differently to SIP requests from an invalid SIP user than they did to a user configured on the system. This was resolved in Asterisk Security Advisory AST-2011-011, and is corrected in versions 1.4.41.2, 1.6.2.18.2, and 1.8.4.4.

IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4 and 1.6.2 set alwaysauthreject=yes in the general section of sip.conf. Please read the advisory for more details.

The second claim is that Asterisk does not properly log the IP address. This may have been true for certain conditions prior to the security patch, but all current versions of Asterisk report the IP address in registration failures:

Code: Select all
[Jul 13 19:12:14] NOTICE[2970] chan_sip.c: Registration from '"baduser" <sip:baduser@asterisk.example.com>' failed for '216.207.245.1:61140' - No matching peer found


This works great with fail2ban and other monitoring/reporting/intrusion-detection systems.
roderickm
Newsterisk
 
Posts: 12
Joined: Sat Dec 30, 2006 8:39 am

Re: Asterisk not logging originating IP of a brute force attack

Postby thor » Fri Jul 15, 2011 10:03 am

For the record, roderickm's claim was crossposted to two other threads where it was promptly rebutted:

viewtopic.php?t=74947

and

viewtopic.php?t=78988
thor
Oldsterisk
 
Posts: 238
Joined: Thu Mar 18, 2010 12:19 pm

Re: Asterisk not logging originating IP of a brute force attack

Postby roderickm » Fri Jul 15, 2011 11:53 pm

Let's consolidate the discussion on a single thread. I've posted an answer to your question here:

viewtopic.php?t=78988
roderickm
Newsterisk
 
Posts: 12
Joined: Sat Dec 30, 2006 8:39 am


Return to Asterisk Support

Who is online

Users browsing this forum: No registered users and 14 guests