I’ve recently had a fairly prolonged SIP registration attack, 18 hours in this case and often with 200 attempts per second, and suspect I’ve had a number of these in the past. The main symptom I noticed previously was, because Asterisk was responding to each registration request it received, it was very quickly using up my 448 kbps upload limit for my home ADSL connection: any further traffic (i.e. anything I did) was then experiencing significant packet loss.
Anyway, I’ve now implemented the “7 steps to better Asterisk security” that I found on the Digium website (deny/permit, alwaysauthreject etc.), and have been looking at fail2ban. However, when I attempted to install it (following the instructions I found on a page about fail2ban with Asterisk), I ran into a couple of issues.
FWIW, I’m using Asterisk 220.127.116.11~dfsg-3+lenny1 on Debian.
First, I tried uncommenting the line in /etc/asterisk/logger.conf, i.e. dateformat=%F %T and verified that the date format in /var/log/asterisk/full had, indeed, changed (after I did an asterisk -rx ‘logger reload’, of course). It had changed: it now started with the year, instead of Aug; however, the parentheses were still there, whereas the instructions seemed to indicate that they’d disappear when this line was used in logger.conf.
At that point, I presumed I’d have to use syslog, after all, as that was given as the only alternative if the date format couldn’t be fixed properly. That wasn’t my preference, but it was still workable.
The second snag I found was that, after I fixed sip.conf to include appropriate deny= and permit= lines and alwaysauthreject=yes, the failed
registration attempts were no longer being logged in /var/log/asterisk/full at all, despite my having the line full => notice,warning,error,debug,verbose in the logfiles section of logger.conf.
It seems that the attack was coming from a region that was denied in sip.conf. This is obviously no problem from the security point of view,
as the attempt would inevitably fail; however, my issue isn’t that the attack might succeed, but rather, that by responding to the attack at all,
Asterisk is grinding my internet connection to a halt. And Asterisk is, indeed, still responding, rather than just ignoring the attempts.
Is there a way to get Asterisk to log failed SIP registration attempts that come from a denied IP address? Or a way to get it to simply ignore such attempts?
I have a feeling that a major Debian release has come out recently, and passed me by. I’m wondering if that contains Asterisk 1.6, and, if so,
whether all these issues (date format as well as logging sip registration attempts from denied IP addresses) might be present in that release. That would certainly present a neat solution – just upgrade my machine!
Any input very welcome.
Oh, if it’s of any interest: I worked out what was going on by using tshark (terminal version of wireshark). In 20 seconds, it captured well
over 7000 packets, rather than the 30 or so I was expecting – and these included about 4000 packets arriving from one host with SIP registration attempts, fully 200 per second.