* You are viewing Posts Tagged ‘mismatch’

Sip Insecure

Hi,

How to allow registered sip users to call without re-authentication

insecure =yes/very are deprecated in 1.8

I want to avoid fromuser= in peer configuration. When I add this in peerĀ asterisk, my asterisk accepts call otherwise it says username mismatch.

Please help

Regards,
Zohair Raza

asterisk 1.8.8 – caller ID not working.

On 01/05/12 16:42, Joseph wrote:
>I just noticed after upgrade from Asterisk 1.4.39 to 1.8.8
>my caller ID is not working
>
>WARNING[1671]: chan_sip.c:13956 check_auth: username mismatch, have <11>, digest has >NOTICE[1671]: chan_sip.c:22048 handle_request_invite: Failed to authenticate device “KMIEC Z” ;tag=1c976040515
>
>–
>Joseph
>
>–

I had this problem before and was able to solve it:

Asterisk fail2ban filters – show us yours

Hi,

In the thread “Interesting attack tonight & fail2ban them” Bruce B
mentioned it would be nice to have input from the Community to come up
with the best set of fail2ban filters. That’s a great idea. So let’s
start with Bruce’s filters (thanks!) and take it from there. Anyone have
any improvements and/or additions? Apologies for the line wrap. No idea
how to prevent that in Thunderbird. The filters are also at
http://pastebin.com/6T9M1W3F

Not sure but it may be possible that logging has changed between
Asterisk 1.4, 1.6, 1.8 and 10 so please mention the asterisk version
with your filters.

For Asterisk 1.8:

failregex = Registration from ‘.*’ failed for ‘(:[0-9]{1,5})?’ -
Wrong password
Registration from ‘.*’ failed for ‘
(:[0-9]{1,5})?’ -
No matching peer found
Registration from ‘.*’ failed for ‘
(:[0-9]{1,5})?’ -
Device does not match ACL
Registration from ‘.*’ failed for ‘
(:[0-9]{1,5})?’ -
Username/auth name mismatch
Registration from ‘.*’ failed for ‘
(:[0-9]{1,5})?’ -
Peer is not supposed to register
NOTICE.*
failed to authenticate as ‘.*’$
NOTICE.* .*: No registration for peer ‘.*’ (from
)
NOTICE.* .*: Host
failed MD5 authentication for ‘.*’
(.*)
VERBOSE.* logger.c: — .*IP/
-.* Playing
‘ss-noservice’ (language ‘.*’)

There are 2 lines that I have which are not in this list:

NOTICE.* .*: Registration from ‘.*’ failed for ‘‘ – ACL error
(permit/deny)
NOTICE.* .*: Failed to authenticate user .*@
.*

How about those (no idea for which Asterisk version they are)?

Regards,
Patrick

Interesting attack tonight & fail2ban them

You mentioned the IP, 208.122.57.58, where did you get that from?

Following are the default for Asterisk 1.8 (It would be great to have
others input on this to strengthen this part of the filter):

failregex = Registration from ‘.*’ failed for ‘(:[0-9]{1,5})?’ -
Wrong password
Registration from ‘.*’ failed for ‘
(:[0-9]{1,5})?’ – No
matching peer found
Registration from ‘.*’ failed for ‘
(:[0-9]{1,5})?’ -
Device does not match ACL
Registration from ‘.*’ failed for ‘
(:[0-9]{1,5})?’ -
Username/auth name mismatch
Registration from ‘.*’ failed for ‘
(:[0-9]{1,5})?’ – Peer
is not supposed to register
NOTICE.*
failed to authenticate as ‘.*’$
NOTICE.* .*: No registration for peer ‘.*’ (from
)
NOTICE.* .*: Host
failed MD5 authentication for ‘.*’ (.*)
VERBOSE.* logger.c: — .*IP/
-.* Playing ‘ss-noservice’
(language ‘.*’)

Regards,

On Wed, Dec 28, 2011 at 11:50 PM, Michelle Dupuis wrote:

> I just realized there is no IP (host) in the message line, so no way for
> fail2ban to catch it.
>
> Other suggestions? Or will I have to code something into my dialplan….
>
>

Codec warnings after upgrade to 1.8

I’m getting various codec related warnings after upgrading to 1.8. Did I miss something in the UPGRADE file? Does Asterisk no longer transcode 8-)?

WARNING[11123]: channel.c:4909 ast_write: Codec mismatch on channel DAHDI/i1/12124221200-74 setting write format to g722 from ulaw native formats 0x4 (ulaw)

And

WARNING[11120]: channel.c:4909 ast_write: Codec mismatch on channel SIP/interglobe-sip-000001e6 setting write format to g722 from ulaw native formats 0x4 (ulaw)

instead of username

Hello,
Asterisk seems to try to authenticate incoming INVITE based on the [section]
in sip.conf and not the username specified.

I just removed the “insecure” option from my sip.conf requesting every
connection to be authenticated. I added the match_auth_username=yes in the
[general] section for extra security. To make it work, I have to use the
same [section] identifier as username. This is really bad because if
multiple provider are giving me the same username, it doesn’t work.

If I put the following data in sip.conf, it doesn’t work. Asterisk return
the following error:

[2011-07-29 04:55:30] WARNING[9971]: chan_sip.c:13205 check_auth: username
mismatch, have , digest has

[GoodProvider]
username=myusername
auth=myusername
defaultuser=myusername
secret=verydifficultpass
type=friend
host=pbx.goodprovider.com
canreinvite=No
dtmfmode=rfc2833
context=from-outside
accountcode=GoodProvider
disallow=all
allow=ulaw

If I put the following data in sip.conf, it does work:

[myusername]
username=myusername
auth=myusername
defaultuser=myusername
secret=verydifficultpass
type=friend
host=pbx.goodprovider.com
canreinvite=No
dtmfmode=rfc2833
context=from-outside
accountcode=GoodProvider
disallow=all
allow=ulaw

I check the INVITE from the “GoodProvider” and it is sending “myusername”

Am I doing something wrong or is really asterisk checking the wrong section?

Leandro