Getting Invites To Rtp Ports ??
I’m getting invites to very high ports every 30 seconds from a particular ip address:
Retransmitting #10 (NAT) to 5.199.133.128:52734:
SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP
0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
From:
To:
Call-ID: 1504207870-295758084-609228182
CSeq: 1 INVITE
……. WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
1504207870-295758084-609228182…
I thought invites had to go to port 5060 or so. I don’t understand why somebody (let’s assume a bad guy) is trying ports above 50000.
sean
—
21 thoughts on - Getting Invites To Rtp Ports ??
There is nothing that explicitly states that it has to be 5060, and in the case of the above it’s just a random source port.
—
Joshua Colp Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW – Huntsville, AL 35806 – US
Check us out at: http://www.digium.com & http://www.asterisk.org
—
Hi
Probably somebody is trying to hack your system, you should block that ip on your firewall.
Regards
Ok, so the high port is not the destination port but the source port.
So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip:
ast_log(LOG_WARNING, “Timeout on %s non-critic invite trans from %s.\n”, pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
With that in the log, I’m now blocking the ip addresses.
Thanks, sean
—
Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki:
https://www.voip-info.org/asterisk-security/
—–Original Message—–
From: asterisk-users [mailto:asterisk-users-bounces@lists.digium.com] Ok, so the high port is not the destination port but the source port.
So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip:
ast_log(LOG_WARNING, “Timeout on %s non-critic invite trans from %s.\n”, pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
With that in the log, I’m now blocking the ip addresses.
Thanks, sean
—
I agree. That’s why I hacked chan_sip.c to get the addresses in the log.
I’m surprised they’re not in the log by default. I must be the only person who gets these “non-critical invites”.
sean
—
Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing.
Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984
—–Original Message—–
From: asterisk-users [mailto:asterisk-users-bounces@lists.digium.com] I agree. That’s why I hacked chan_sip.c to get the addresses in the log.
I’m surprised they’re not in the log by default. I must be the only person who gets these “non-critical invites”.
sean
—
I wonder if I could have that patch, maybe I could add it to my fail2ban regexp and if you have the correct regexp, I would apperciate that as well.
Thanks.
—
Your life is like a penny. You’re going to lose it. The question is:
How do you spend it?
John Covici wb2una
covici@ccs.covici.com
—
The patch, more accurately a hack, is in my second post above.
chan_sip.c 4127 : ast_log(LOG_WARNING, “Timeout on %s non-critic invite trans from %s.\n”, pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
The added second %s shows the ip address of the pkt owner.
I wouldn’t submit it in a coding class !
sean
—
OK, Thanks. I have a couple of questions — the line numbers do not match exactly, so can you tell me a couple of lines before and after the line in question? Also, when will this be logged, if its only during sip debug, I need to change it to log when I can see it more readily.
Thanks.
—
Your life is like a penny. You’re going to lose it. The question is:
How do you spend it?
John Covici wb2una
covici@ccs.covici.com
—
That’s some pretty old advice.
The rationale for *not* using general log messages with fail2ban still stands: the general WARNING/NOTICE/etc. log messages are subject to change between versions, and no one wants that to impact someone’s security. So you should not use those messages as input into fail2ban.
That rationale did lead to the ‘security’ event type in log messages. Security Event Logging – as it is called – got added into Asterisk quite some time ago. So long ago I’m really not sure which version. At a minimum, Asterisk 11, but I’m pretty sure it was in 10 as well.
Documentation for it can be found here:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
And here:
https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration
Note that this also fires off AMI events (and ARI events, IIRC).
If, for whatever reason, you do not get a SECURITY log message or a corresponding event when something ‘bad’ happens, that would be worth some additional discussion. If anything, the events can be a bit chatty…
I agree, but is it possible to try over and over with anything other than the challenge warning in the security log as sean suggested and put a patch for?
—
Your life is like a penny. You’re going to lose it. The question is:
How do you spend it?
John Covici wb2una
covici@ccs.covici.com
—
Regarding this thread, I was wondering, why would anybody opens his firewall (for incoming traffic), for anybody else, besides his own SIP-provider?
Isn’t that the proper way for having your firewall configured: always, by default closed, unless explicitly required.
(but perhaps I’m missing a legitimate use-case)
Hans
—
SGVsbG8gSGFucyzCoAptYXliZSBJIGRvbid0IHJlbWJlciBTSVAgJiBBc3RlcmlzayB3ZWxsLCBi dXQgSSBUSElOSyBpdCdzIGFic29sdXRlbHkgcG9zc2libGUgdG8gcGxhY2UgYSBjYWxsIGZyb20g b25lIEFzdGVyaXNrIFNlcnZlciB0byBhbm90aGVyIG9uZSB3aXRob3V0IGF0IFNJUCBQcm92aWRl ciBpbiBiZXR3ZWVuLgpJbWFnaW5lIGEgKGJpZykgY29tcGFueSB3aXRoIGJyYW5jaGVzIHJ1bm5p bmcgYSBzZXJ2ZXIgYXQgZXZlcnkgc2l0ZS4KQnV0IG1heWJlIEknbSB3cm9uZy4uLi4KQnV0IGZv ciBvdGhlciBzZXR1cHMgeW91J3JlIHJpZ2h0LiBGb3IgZXhhbXBsZSwgb24gbXkgYXN0ZXJpc2sg bWFjaGluZSBmaXJld2FsbCBpcyBjbG9zZWQgZXhjZXB0IHRoZSAoZmV3KSBJUCBhZHJlc3NlcyBt eSBTSVAgcHJvdmlkZXIgdG9sZCBtZQpOb3JiZXJ0Ci0tLS0tLS0tIFVyc3Byw7xuZ2xpY2hlIE5h Y2hyaWNodCAtLS0tLS0tLVZvbjogYXN0ZXJpc2tAYS1kb21hbmkubmwgRGF0dW06IDMwLjA4LjE4
ICAxMjowNCAgKEdNVCswMjowMCkgQW46IEFzdGVyaXNrIFVzZXJzIE1haWxpbmcgTGlzdCAtIE5v bi1Db21tZXJjaWFsIERpc2N1c3Npb24gPGFzdGVyaXNrLXVzZXJzQGxpc3RzLmRpZ2l1bS5jb20+
IEJldHJlZmY6IFJlOiBbYXN0ZXJpc2stdXNlcnNdIGdldHRpbmcgaW52aXRlcyB0byBydHAgcG9y dHMgPz8gClJlZ2FyZGluZyB0aGlzIHRocmVhZCwKSSB3YXMgd29uZGVyaW5nLCB3aHkgd291bGQg YW55Ym9keSBvcGVucyBoaXMgZmlyZXdhbGwgKGZvciBpbmNvbWluZyAKdHJhZmZpYyksIGZvciBh bnlib2R5IGVsc2UsIGJlc2lkZXMgaGlzIG93biBTSVAtcHJvdmlkZXI/CgpJc24ndCB0aGF0IHRo ZSBwcm9wZXIgd2F5IGZvciBoYXZpbmcgeW91ciBmaXJld2FsbCBjb25maWd1cmVkOiBhbHdheXMs IApieSBkZWZhdWx0IGNsb3NlZCwgdW5sZXNzIGV4cGxpY2l0bHkgcmVxdWlyZWQuCihidXQgcGVy aGFwcyBJJ20gbWlzc2luZyBhIGxlZ2l0aW1hdGUgdXNlLWNhc2UpCgpIYW5zCgpPbiAyMDE4LTA4
LTMwIDA0OjUyLCBNYXR0aGV3IEpvcmRhbiB3cm90ZToKPiBPbiBXZWQsIEF1ZyAyOSwgMjAxOCBh dCA2OjIwIFBNIFRlbGl1bSBTdXBwb3J0IEdyb3VwCj4gPHN1cHBvcnRAdGVsaXVtLmNhPiB3cm90
ZToKPiAKPj4gRGVwZW5kaW5nIG9uIGxvZyB0cm9sbGluZyAoQXN0ZXJpc2sgc2VjdXJpdHkgbG9n KSBtaXNzZXMgYSBsb3QsIGFuZAo+PiBhbHNvIGRlcGVuZHMgb24gdGhlIFNJUC9QSlNJUCBmb2xr cyB0byBub3QgY2hhbmdlIG1lc3NhZ2Ugc3RydWN0dXJlCj4+ICh3aGljaCBoYXMgYWxyZWFkeSBo YXBwZW5lZCBudW1lcm91cyB0aW1lKS7CoCBJZsKgIHlvdSBhcmUgY29tZm9ydGFibGUKPj4gaGFj a2luZyBjaGFuX3NpcC5jIHlvdSBtYXkgcHJlZmVyIHRvIGdldCB0aGUgc2FtZSBtZXNzYWdlcyBm cm9tIHRoZQo+PiBBTUkuwqAgSXQgc3RpbGwgbWlzc2VzIGEgbG90IGJ1dCB0aGF0IGFwcHJvYWNo IGlzIGJldHRlciB0aGFuCj4+IG5vdGhpbmcuCj4+IAo+PiBEaWdpdW0gd2FybnMgbm90IHRvIHVz ZSBmYWlsMmJhbiAvIGxvZyB0cm9sbGluZyBhcyBhIHNlY3VyaXR5Cj4+IHN5c3RlbTogaHR0cDov L2ZvcnVtcy5hc3Rlcmlzay5vcmcvdmlld3RvcGljLnBocD9wPTE1OTk4NAo+IAo+IFRoYXQncyBz b21lIHByZXR0eSBvbGQgYWR2aWNlLgo+IAo+IFRoZSByYXRpb25hbGUgZm9yICpub3QqIHVzaW5n IGdlbmVyYWwgbG9nIG1lc3NhZ2VzIHdpdGggZmFpbDJiYW4gc3RpbGwKPiBzdGFuZHM6IHRoZSBn ZW5lcmFsIFdBUk5JTkcvTk9USUNFL2V0Yy4gbG9nIG1lc3NhZ2VzIGFyZSBzdWJqZWN0IHRvCj4g Y2hhbmdlIGJldHdlZW4gdmVyc2lvbnMsIGFuZCBubyBvbmUgd2FudHMgdGhhdCB0byBpbXBhY3Qg c29tZW9uZSdzCj4gc2VjdXJpdHkuIFNvIHlvdSBzaG91bGQgbm90IHVzZSB0aG9zZSBtZXNzYWdl cyBhcyBpbnB1dCBpbnRvIGZhaWwyYmFuLgo+IAo+IFRoYXQgcmF0aW9uYWxlIGRpZCBsZWFkIHRv IHRoZSAnc2VjdXJpdHknIGV2ZW50IHR5cGUgaW4gbG9nIG1lc3NhZ2VzLgo+IFNlY3VyaXR5IEV2
ZW50IExvZ2dpbmcgLSBhcyBpdCBpcyBjYWxsZWQgLSBnb3QgYWRkZWQgaW50byBBc3Rlcmlzawo+
IHF1aXRlIHNvbWUgdGltZSBhZ28uIFNvIGxvbmcgYWdvIEknbSByZWFsbHkgbm90IHN1cmUgd2hp Y2ggdmVyc2lvbi4gQXQKPiBhIG1pbmltdW0sIEFzdGVyaXNrIDExLCBidXQgSSdtIHByZXR0eSBz dXJlIGl0IHdhcyBpbiAxMCBhcyB3ZWxsLgo+IAo+IERvY3VtZW50YXRpb24gZm9yIGl0IGNhbiBi ZSBmb3VuZCBoZXJlOgo+IAo+IGh0dHBzOi8vd2lraS5hc3Rlcmlzay5vcmcvd2lraS9kaXNwbGF5
L0FTVC9Bc3RlcmlzaytTZWN1cml0eStFdmVudCtMb2dnZXIKPiAKPiBBbmQgaGVyZToKPiAKPiBo dHRwczovL3dpa2kuYXN0ZXJpc2sub3JnL3dpa2kvZGlzcGxheS9BU1QvTG9nZ2luZytDb25maWd1
cmF0aW9uCj4gCj4gTm90ZSB0aGF0IHRoaXMgYWxzbyBmaXJlcyBvZmYgQU1JIGV2ZW50cyAoYW5k IEFSSSBldmVudHMsIElJUkMpLgo+IAo+IElmLCBmb3Igd2hhdGV2ZXIgcmVhc29uLCB5b3UgZG8g bm90IGdldCBhIFNFQ1VSSVRZIGxvZyBtZXNzYWdlIG9yIGEKPiBjb3JyZXNwb25kaW5nIGV2ZW50
IHdoZW4gc29tZXRoaW5nICdiYWQnIGhhcHBlbnMsIHRoYXQgd291bGQgYmUgd29ydGgKPiBzb21l IGFkZGl0aW9uYWwgZGlzY3Vzc2lvbi4gSWYgYW55dGhpbmcsIHRoZSBldmVudHMgY2FuIGJlIGEg Yml0Cj4gY2hhdHR5Li4uCj4gCj4+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tCj4+IEZyb206
IGFzdGVyaXNrLXVzZXJzCj4+IFttYWlsdG86YXN0ZXJpc2stdXNlcnMtYm91bmNlc0BsaXN0cy5k aWdpdW0uY29tXSBPbiBCZWhhbGYgT2Ygc2Vhbgo+PiBkYXJjeQo+PiBTZW50OiBXZWRuZXNkYXks IEF1Z3VzdCAyOSwgMjAxOCA2OjMzIFBNCj4+IFRvOiBhc3Rlcmlzay11c2Vyc0BsaXN0cy5kaWdp dW0uY29tCj4+IFN1YmplY3Q6IFJlOiBbYXN0ZXJpc2stdXNlcnNdIGdldHRpbmcgaW52aXRlcyB0
byBydHAgcG9ydHMgPz8KPj4gCj4+IE9uIDA4LzI5LzIwMTggMTE6NTkgQU0sIFRlbGl1bSBTdXBw b3J0IEdyb3VwIHdyb3RlOgo+Pj4gQmxvY2sgYSBzaW5nbGUgSVAgaXMgdGhlIHdyb25nIGFwcHJv YWNoICh3aGFjay1hLW1vbGUpLsKgIFlvdQo+PiBzaG91bGQgY29uc2lkZXIgYSBtb3JlIGNvbXBy ZWhlbnNpdmUgYXBwcm9hY2ggdG8gc2VjdXJpbmcgeW91ciBWb0lQCj4+IGVudmlyb25tZW50LsKg IEhhdmUgYSBsb29rIGF0IHRoaXMgd2lraToKPj4+IAo+Pj4gaHR0cHM6Ly93d3cudm9pcC1pbmZv Lm9yZy9hc3Rlcmlzay1zZWN1cml0eS8KPj4+IAo+Pj4gCj4+PiAKPj4+IC0tLS0tT3JpZ2luYWwg TWVzc2FnZS0tLS0tCj4+PiBGcm9tOiBhc3Rlcmlzay11c2Vycwo+PiBbbWFpbHRvOmFzdGVyaXNr LXVzZXJzLWJvdW5jZXNAbGlzdHMuZGlnaXVtLmNvbV0KPj4+IE9uIEJlaGFsZiBPZiBzZWFuIGRh cmN5Cj4+PiBTZW50OiBXZWRuZXNkYXksIEF1Z3VzdCAyOSwgMjAxOCAxMDo0NiBBTQo+Pj4gVG86
IGFzdGVyaXNrLXVzZXJzQGxpc3RzLmRpZ2l1bS5jb20KPj4+IFN1YmplY3Q6IFJlOiBbYXN0ZXJp c2stdXNlcnNdIGdldHRpbmcgaW52aXRlcyB0byBydHAgcG9ydHMgPz8KPj4+IAo+Pj4gT24gMDgv MjkvMjAxOCAwOTo0MiBBTSwgQ2FybG9zIFJvamFzIHdyb3RlOgo+Pj4+IEhpCj4+Pj4gCj4+Pj4g UHJvYmFibHkgc29tZWJvZHkgaXMgdHJ5aW5nIHRvIGhhY2sgeW91ciBzeXN0ZW0sIHlvdSBzaG91
bGQgYmxvY2sKPj4gCj4+Pj4gdGhhdCBpcCBvbiB5b3VyIGZpcmV3YWxsLgo+Pj4+IAo+Pj4+IFJl Z2FyZHMKPj4+PiAKPj4+PiBPbiBXZWQsIEF1ZyAyOSwgMjAxOCBhdCA5OjM0IEFNLCBzZWFuIGRh cmN5IDxzZWFuZGFyY3kyQGdtYWlsLmNvbQo+PiAKPj4+PiA8bWFpbHRvOnNlYW5kYXJjeTJAZ21h aWwuY29tPj4gd3JvdGU6Cj4+Pj4gCj4+Pj4gSSdtIGdldHRpbmcgaW52aXRlcyB0byB2ZXJ5IGhp Z2ggcG9ydHMgZXZlcnkgMzAgc2Vjb25kcyBmcm9tCj4+IGEKPj4+PiBwYXJ0aWN1bGFyIGlwIGFk ZHJlc3M6Cj4+Pj4gCj4+Pj4gUmV0cmFuc21pdHRpbmcgIzEwIChOQVQpIHRvIDUuMTk5LjEzMy4x Mjg6NTI3MzQgWzFdCj4+Pj4gPGh0dHA6Ly81LjE5OS4xMzMuMTI4OjUyNzM0PjoKPj4+PiBTSVAv Mi4wIDQwMSBVbmF1dGhvcml6ZWQKPj4+PiBWaWE6IFNJUC8yLjAvVURQCj4+Pj4gCj4+IAo+IDAu MC4wLjA6NTI3MzQ7YnJhbmNoPXo5aEc0YksxMjA3MjU1MzUzO3JlY2VpdmVkPTUuMTk5LjEzMy4x Mjg7cnBvcnQ9NTI3MzQKPj4+PiBGcm9tOiA8c2lwOjM3MTIwMTE2NzgwMTkxMjUwQDY3LjgwLjE5
MS4yNTAKPj4+PiAKPj4gPG1haWx0bzpzaXAlM0EzNzEyMDExNjc4MDE5MTI1MEA2Ny44MC4xOTEu MjUwPj47dGFnPTE4NzIwNDg5NzIKPj4+PiBUbzogPHNpcDozNzEyMDExOTcyNTkyMTgxNDE4QDY3
LjgwLjE5MS4yNTAKPj4+PiAKPj4gPG1haWx0bzpzaXAlM0EzNzEyMDExOTcyNTkyMTgxNDE4QDY3
LjgwLjE5MS4yNTA+Pjt0YWc9YXMzYTUyZTc0OAo+Pj4+IENhbGwtSUQ6IDE1MDQyMDc4NzAtMjk1
NzU4MDg0LTYwOTIyODE4Mgo+Pj4+IENTZXE6IDEgSU5WSVRFCj4+Pj4gLi4uLi4uLgo+Pj4+IFdB
Uk5JTkdbMTUwMzE4XTogY2hhbl9zaXAuYzo0MTI3IHJldHJhbnNfcGt0OiBUaW1lb3V0IG9uCj4+
Pj4gMTUwNDIwNzg3MC0yOTU3NTgwODQtNjA5MjI4MTgyLi4uCj4+Pj4gCj4+Pj4gSSB0aG91Z2h0
IGludml0ZXMgaGFkIHRvIGdvIHRvIHBvcnQgNTA2MCBvciBzby4gSSBkb24ndAo+PiB1bmRlcnN0
YW5kCj4+Pj4gd2h5IHNvbWVib2R5IChsZXQncyBhc3N1bWUgYSBiYWQgZ3V5KSBpcyB0cnlpbmcg cG9ydHMgYWJvdmUKPj4gNTAwMDAuCj4+Pj4gCj4+Pj4gc2Vhbgo+Pj4+IAo+Pj4+IAo+Pj4gCj4+
PiBPaywgc28gdGhlIGhpZ2ggcG9ydCBpcyBub3QgdGhlIGRlc3RpbmF0aW9uIHBvcnQgYnV0IHRo ZSBzb3VyY2UKPj4gcG9ydC4KPj4+IAo+Pj4gU28gSSBoYWNrZWQgdGhlIGxvZyB3YXJuaW5nIGlu IGNoYW5fc2lwLmMgb24gbm9uLWNyaXRpY2FsIGludml0ZXMKPj4gdG8gc2hvdyB0aGUgc291cmNl IGlwOgo+Pj4gCj4+PiBhc3RfbG9nKExPR19XQVJOSU5HLCAiVGltZW91dCBvbiAlcyBub24tY3Jp dGljIGludml0ZSB0cmFucyBmcm9tCj4+PiAlcy5cbiIsCj4+PiAKPj4gCj4gcGt0LT5vd25lci0+
Y2FsbGlkLGFzdF9zb2NrYWRkcl9zdHJpbmdpZnkoc2lwX3JlYWxfZHN0KHBrdC0+b3duZXIpKSk7
Cj4+PiAKPj4+IFdpdGggdGhhdCBpbiB0aGUgbG9nLCBJJ20gbm93IGJsb2NraW5nIHRoZSBpcCBh ZGRyZXNzZXMuCj4+PiAKPj4+IFRoYW5rcywKPj4+IHNlYW4KPj4+IAo+Pj4gCj4+PiAtLQo+Pj4g Cj4+IAo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fXwo+Pj4gLS0gQmFuZHdpZHRoIGFuZCBDb2xvY2F0aW9uIFByb3Zp ZGVkIGJ5IGh0dHA6Ly93d3cuYXBpLWRpZ2l0YWwuY29tCj4+IC0tCj4+PiAKPj4+IEFzdHJpY29u IGlzIGNvbWluZyB1cCBPY3RvYmVyIDktMTEhwqAgU2lnbnVwIGlzIGF2YWlsYWJsZSBhdDoKPj4+
IGh0dHBzOi8vd3d3LmFzdGVyaXNrLm9yZy9jb21tdW5pdHkvYXN0cmljb24tdXNlci1jb25mZXJl bmNlCj4+PiAKPj4+IENoZWNrIG91dCB0aGUgbmV3IEFzdGVyaXNrIGNvbW11bml0eSBmb3J1bSBh dDoKPj4+IGh0dHBzOi8vY29tbXVuaXR5LmFzdGVyaXNrLm9yZy8KPj4+IAo+PiAKPj4gSSBhZ3Jl ZS4gVGhhdCdzIHdoeSBJIGhhY2tlZCBjaGFuX3NpcC5jIHRvIGdldCB0aGUgYWRkcmVzc2VzIGlu IHRoZQo+PiBsb2cuCj4+IAo+PiBJJ20gc3VycHJpc2VkIHRoZXkncmUgbm90IGluIHRoZSBsb2cg YnkgZGVmYXVsdC4gSSBtdXN0IGJlIHRoZSBvbmx5Cj4+IHBlcnNvbiB3aG8gZ2V0cyB0aGVzZSAi bm9uLWNyaXRpY2FsIGludml0ZXMiLgo+PiAKPj4gc2Vhbgo+PiAKPj4gLS0KPj4gCj4gX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fCj4+IC0tIEJhbmR3aWR0aCBhbmQgQ29sb2NhdGlvbiBQcm92aWRlZCBieSBodHRwOi8v d3d3LmFwaS1kaWdpdGFsLmNvbQo+PiAtLQo+PiAKPj4gQXN0cmljb24gaXMgY29taW5nIHVwIE9j dG9iZXIgOS0xMSHCoCBTaWdudXAgaXMgYXZhaWxhYmxlIGF0Ogo+PiBodHRwczovL3d3dy5hc3Rl cmlzay5vcmcvY29tbXVuaXR5L2FzdHJpY29uLXVzZXItY29uZmVyZW5jZQo+PiAKPj4gQ2hlY2sg b3V0IHRoZSBuZXcgQXN0ZXJpc2sgY29tbXVuaXR5IGZvcnVtIGF0Ogo+PiBodHRwczovL2NvbW11
bml0eS5hc3Rlcmlzay5vcmcvCj4+IAo+PiBOZXcgdG8gQXN0ZXJpc2s/IFN0YXJ0IGhlcmU6Cj4+
IGh0dHBzOi8vd2lraS5hc3Rlcmlzay5vcmcvd2lraS9kaXNwbGF5L0FTVC9HZXR0aW5nK1N0YXJ0
ZWQKPj4gCj4+IGFzdGVyaXNrLXVzZXJzIG1haWxpbmcgbGlzdAo+PiBUbyBVTlNVQlNDUklCRSBv ciB1cGRhdGUgb3B0aW9ucyB2aXNpdDoKPj4gaHR0cDovL2xpc3RzLmRpZ2l1bS5jb20vbWFpbG1h bi9saXN0aW5mby9hc3Rlcmlzay11c2Vycwo+PiAKPj4gLS0KPj4gCj4gX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCj4+
IC0tIEJhbmR3aWR0aCBhbmQgQ29sb2NhdGlvbiBQcm92aWRlZCBieSBodHRwOi8vd3d3LmFwaS1k aWdpdGFsLmNvbQo+PiAtLQo+PiAKPj4gQXN0cmljb24gaXMgY29taW5nIHVwIE9jdG9iZXIgOS0x MSHCoCBTaWdudXAgaXMgYXZhaWxhYmxlIGF0Ogo+PiBodHRwczovL3d3dy5hc3Rlcmlzay5vcmcv Y29tbXVuaXR5L2FzdHJpY29uLXVzZXItY29uZmVyZW5jZQo+PiAKPj4gQ2hlY2sgb3V0IHRoZSBu ZXcgQXN0ZXJpc2sgY29tbXVuaXR5IGZvcnVtIGF0Ogo+PiBodHRwczovL2NvbW11bml0eS5hc3Rl cmlzay5vcmcvCj4+IAo+PiBOZXcgdG8gQXN0ZXJpc2s/IFN0YXJ0IGhlcmU6Cj4+IGh0dHBzOi8v d2lraS5hc3Rlcmlzay5vcmcvd2lraS9kaXNwbGF5L0FTVC9HZXR0aW5nK1N0YXJ0ZWQKPj4gCj4+
IGFzdGVyaXNrLXVzZXJzIG1haWxpbmcgbGlzdAo+PiBUbyBVTlNVQlNDUklCRSBvciB1cGRhdGUg b3B0aW9ucyB2aXNpdDoKPj4gaHR0cDovL2xpc3RzLmRpZ2l1bS5jb20vbWFpbG1hbi9saXN0aW5m by9hc3Rlcmlzay11c2Vycwo+IAo+IC0tCj4gTWF0dGhldyBKb3JkYW4KPiBEaWdpdW0sIEluYy4g fCBDVE8KPiA0NDUgSmFuIERhdmlzIERyaXZlIE5XIC0gSHVudHN2aWxsZSwgQUwgMzU4MDYgLSBV
U0EKPiBDaGVjayB1cyBvdXQgYXQ6IGh0dHA6Ly9kaWdpdW0uY29tICYgaHR0cDovL2FzdGVyaXNr Lm9yZwo+IAo+IExpbmtzOgo+IC0tLS0tLQo+IFsxXSBodHRwOi8vNS4xOTkuMTMzLjEyODo1Mjcz NAoKLS0gCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fXwotLSBCYW5kd2lkdGggYW5kIENvbG9jYXRpb24gUHJvdmlkZWQg YnkgaHR0cDovL3d3dy5hcGktZGlnaXRhbC5jb20gLS0KCkFzdHJpY29uIGlzIGNvbWluZyB1cCBP
Y3RvYmVyIDktMTEhwqAgU2lnbnVwIGlzIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cuYXN0ZXJp c2sub3JnL2NvbW11bml0eS9hc3RyaWNvbi11c2VyLWNvbmZlcmVuY2UKCkNoZWNrIG91dCB0aGUg bmV3IEFzdGVyaXNrIGNvbW11bml0eSBmb3J1bSBhdDogaHR0cHM6Ly9jb21tdW5pdHkuYXN0ZXJp c2sub3JnLwoKTmV3IHRvIEFzdGVyaXNrPyBTdGFydCBoZXJlOgrCoMKgwqDCoMKgIGh0dHBzOi8v d2lraS5hc3Rlcmlzay5vcmcvd2lraS9kaXNwbGF5L0FTVC9HZXR0aW5nK1N0YXJ0ZWQKCmFzdGVy aXNrLXVzZXJzIG1haWxpbmcgbGlzdApUbyBVTlNVQlNDUklCRSBvciB1cGRhdGUgb3B0aW9ucyB2
aXNpdDoKwqDCoCBodHRwOi8vbGlzdHMuZGlnaXVtLmNvbS9tYWlsbWFuL2xpc3RpbmZvL2FzdGVy aXNrLXVzZXJz
Also, if you have extensions which are external and you don’t know their ip addresses.
—
Your life is like a penny. You’re going to lose it. The question is:
How do you spend it?
John Covici wb2una
covici@ccs.covici.com
—
Hi Norbert,
Yes, you’re correct. one can make SIP-calls directly without a provider
(or even asterisk) in between. Had to do that long time ago on Asterisk-course. But why would you want to do that? Playing with technique? Great, but then you are at home/lab.
And a company with multiple branches, could have PBX forwarding their calls, not the individual users setting them up towards a remote PBX.
In case of road-warriers (not knowing their current and ever changing IP-address)… I presume they ought to use a VPN for connecting to their office (thus becoming an internal and trusted network-entity).
Hans
—
FYI: We have found that Fail2Ban has not been as effective as it has in the past (more with web provisioning servers then with SIP) as once the attackers think they have a system they can compromise they will change their IP’s and keep trying over and over.
I don’t think I understand your question.
You shouldn’t need a patch if you are using the SECURITY log. The thread above is suggesting patching the source code to hijack a WARNING message for the purposes of tracing security information; my point is that you should have a specific SECURITY log message that already serves that purpose.
The message currently in the log is not a security message and does not contain the ip address, would it be useful to block ip address from that message or is the challenge message sufficient?
—
Your life is like a penny. You’re going to lose it. The question is:
How do you spend it?
John Covici wb2una
covici@ccs.covici.com
—
13.21.0-rc1 chan_sip.c :
4125- }
4126- } else if (pkt->owner->pendinginvite == pkt->seqno) {
4127: ast_log(LOG_WARNING, “Timeout on %s non-critic invite trans from %s.\n”, pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
4128- pkt->owner->invitestate = INV_TERMINATED;
4129- pkt->owner->pendinginvite = 0;
The warning is logged with sip-debug.
BTW, this gives the destination address for the packet. What I’d really want is the source address (which is probably the same as the destination address, but…). However, my asterisk mojo is not sufficient to find the correct variable.
Anybody know how to print the source address ?
sean
—
Actually even the Security log (and AMI security event) is nothing more than failed dial/register attempts against Asterisk. There is no awareness of corrupt SIP attacks, detection of polling for insecure extensions, goefencing based on source IP (why allow connections from Russia if all of your uses are in Texas), detection of rapid dialing rates once connected to an IVR, etc.
So your entire security system is based on Asterisk saying a dial/register failed. That’s a small fraction of the attack types against, and attack surface offered by, PJSIP/SIP/Asterisk. Even worse, if you run a configuration generator (eg FreePBX)..well…do a google search to see the exploits that are published regularly. I realize FreePBX/Sangoma now owns Digium so that discussion should probably go no further.
So don’t get me wrong….fail2ban is way better than nothing. But it may instill a false sense of security. And that was Digium’s point in the post. So if the OP needs a free and fast solution against simple script kiddie attacks then installing fail2ban is a big thumbs up in my opinion.
There have been similar discussions in other groups as to why even have a firewall, since you can close ports not needed by your services. There are some people who are very passionate about their view that firewalls are a waste of time and money. Far be it from me to say they’re wrong…but I’ve tried to point them to some interesting articles.
If you are a pure open source advocate there are still a lot more tools you can use to secure you PBX. Think SNORT, I think pfsense offers a free database that’s accurate to a country level, etc. If you want commercial then there are even more options. But that’s the wrong forum for the biz stuff
I feel I tread on the edge of a holy war 🙂 So I’ll leave my thoughts here and go no further
From: asterisk-users [mailto:asterisk-users-bounces@lists.digium.com] I agree. That’s why I hacked chan_sip.c to get the addresses in the log.
I’m surprised they’re not in the log by default. I must be the only person who gets these “non-critical invites”.
sean
Hi. So, I applied the patch, works, but I could not figure out a fail2ban regex which will hit that line, have you got one I can use?
Thanks.
—
Your life is like a penny. You’re going to lose it. The question is:
How do you spend it?
John Covici wb2una
covici@ccs.covici.com
—