Moderators: Moderator, Support
.Code contributions, more than anything else, help to move Asterisk's capabilities forward
If Digium is, corporately, touting fail2ban as a panacea, please point me to where we might be doing so.
Yup, I remember that.
I don't think characterizing the Asterisk community as lacking in care about security is very fair.
[Jul 13 19:12:14] NOTICE[2970] chan_sip.c: Registration from '"baduser" <sip:baduser@asterisk.example.com>' failed for '216.207.245.1:61140' - No matching peer found
Asterisk 1.8.0:
[Jul 16 05:34:27] NOTICE[2970] chan_sip.c: Call from '' to extension '395' rejected because extension not found in context 'default'.
Asterisk 1.8.5:
[Jul 16 05:49:55] NOTICE[29385] chan_sip.c: Call from '' (10.23.228.150:5060) to extension '395' rejected because extension not found in context 'default'.
chan_sip.c: Failed to authenticate device sip:100@random.crap;tag=J5zBr48MrJLLJQWPpHd02Bw.DxHGvEBZ
Asterisk 1.8.5.0 before patch:
[Jul 16 14:27:53] NOTICE[29385] chan_sip.c: Sending fake auth rejection for device "roderickm" <sip:girstwce@192.168.1.104>;tag=PNNjEgTzE4K.2w221Kd5qYLoL5MCG8I
with patch:
[Jul 16 14:34:44] NOTICE[1823] chan_sip.c: Sending fake auth rejection for device "roderickm" <sip:girstwce@192.168.1.104>;tag=aQF8ZHDlcTtoyERbjFkKOnoQHkisuEg9 (76.103.148.116:44752)
[root@asterisk channels]# diff chan_sip.c chan_sip.c.orig
21216c21216
< ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s (%s)\n", get_header(req, "From"), ast_sockaddr_stringify(addr));
---
> ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
21870,21871c21870
< ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s (%s)\n", get_header(req, "From"), ast_sockaddr_stringify(addr));
<
---
> ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
23640c23639
< ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s (%s)\n", get_header(req, "From"), ast_sockaddr_stringify(addr));
---
> ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
23857c23856
< ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s (%s)\n", get_header(req, "From"), ast_sockaddr_stringify(addr));
---
> ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
I would expect an internal audit of logging of all authentication request as I am sure the REGISTER and INVITE methods are not the only ones which can be used to brute force accounts. My guess is the next attack will be using the SUBSCRIBE method.
[2012-12-03 10:48:07.098] NOTICE[4752] chan_sip.c: Sending fake auth rejection for device 100<sip:100@my_own_external_ip>;tag=7c09df41
dadooronron wrote:1) Why did you change the code for logging ?
craigarno wrote: This feature will also need the ability to ignore specific "good" IP's/ranges during configuration/development with new equipment. Attacks are becoming common, regular, and increasing in frequency. Tools beyond "best practices" are needed to assist Asterisk users to manage these issues. One successful break-in will cost real money from unauthorized misuse/abuse of paid for telephony services and loss of network bandwidth/functionality.
Thanks for reading.
navaismo wrote:Asterisk is a PBX, if you are concerned about the security you need to look at another place or software. Maybe the people always confuse the fact that asterisk is a PBX software, and want to do a lot of things inside asterisk itself.
navaismo wrote:If you want to block IPs or attacks use the normal logs of asterisk plus iptables, blockhosts or fail2ban or whatever. Seriously people need to start complain at their installations holes instead of a PBX.
navaismo wrote:I use sip peers with type=friend, I have opened ports to my pbx, I allow guest to do calls and I have the blockhosts tool. And I don't loose money.
craigarno wrote:Apparently you missed the point of this thread... Asterisk logs (system or console) don't contain information needed to block these attempted intrusions by any external program. The connecting IP isn't exposed in Asterisk log message. The problem described in this thread exists and is real.
david55 wrote:Quite a few people complain because the normal logs don't provide this information, when, with current versions, they should actually be using the security logs.
The normal logs assume that failed calls are the result of something you have done wrong, not the result of hostile action, so the information they provide is aimed at finding and fixing your errors, not at blocking attackers.
console => notice,warning,error
messages => notice,warning,error
/var/log/asterisk/messages wrote:[Mar 30 08:21:53] NOTICE[14760][C-000017e4]: chan_sip.c:25081 handle_request_invite: Sending fake auth rejection for device 501<sip:501@50.132.123.456>;tag=ba5e8ad1
[Mar 30 08:21:53] SECURITY[14743]: res_security_log.c:134 security_event_cb: SecurityEvent="InvalidAccountID",EventTV="1364656913-935416",Severity="Error",Service="SIP",EventVersion="1",AccountID="011972592267352",SessionID="0x7f7cd8710818",
LocalAddress="IPV4/UDP/50.132.123.456/5060",RemoteAddress="IPV4/UDP/166.78.61.131/5078"
Users browsing this forum: No registered users and 1 guest