Security AccountID Unknown

Security AccountID Unknown – PJSIP

Home » Asterisk Users » Security AccountID Unknown – PJSIP

September 27, 2019 Administrator TOOTAI Asterisk Users 4 Comments

Hi list,

I would like to now what is the sense of such type of entry in security.log

[2019-09-27 15:12:24] SECURITY[26964] res_security_log.c:
SecurityEvent=”ChallengeSent”,EventTV=”2019-09-27T15:12:24.181+0200″,Severity=”Informational”,Servic e=”PJSIP”,EventVersion=”1″,AccountID=”“, SessionID=”56b0ca9-d967a90d16411209-a1b0fae1@188.165.222.17”,LocalAddress=”IPV4/UDP//5060″, RemoteAddress=”IPV4/UDP//5213″,Challenge=””

We have a lot of such tries coming from IPs not allowed and fail2ban fail to ban them because of SecurityEvent not treated and Severity Informational.

We add a fail2ban filter to ban those IPs which is OK on our side but also means that attacker knows that account is not existing.

Any comment appreciate

Best Regards

—
Daniel

—

4 thoughts on - Security AccountID Unknown – PJSIP

Joshua Colp says:

September 30, 2019 at 4:48 am

SIP uses a challenge/response mechanism for authentication. The above indicates that a challenge was sent. The remote side is under no obligation to retry with authentication and may choose not to. If they did and failed another message would occur.

—
Joshua C. Colp Digium – A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW – Huntsville, AL 35806 – US
Check us out at: http://www.digium.com & http://www.asterisk.org

—
Administrator TOOTAI says:

September 30, 2019 at 8:55 am

Le 30/09/2019 à 11:45, Joshua C. Colp a écrit :

From security logs 26/09/2019 before we add our fail2ban rule:

EventTV=”2019-09-26T14:32:06.516+0200″,RemoteAddress=”IPV4/UDP/66.117.9.138/52488″

EventTV=”2019-09-26T14:32:45.748+0200″,RemoteAddress=”IPV4/UDP/66.117.9.138/57808″

EventTV=”2019-09-26T14:33:25.300+0200″,RemoteAddress=”IPV4/UDP/66.117.9.138/63211″

EventTV=”2019-09-26T14:34:04.527+0200″,RemoteAddress=”IPV4/UDP/66.117.9.138/51988″

In 2 minutes, the same IP address. We count 28862 tries from 11/09/2019
to 26/09/2019 coming *ONLY* from this IP address :(, average being 80
tries/hours.

If I understand you, there is no check between 2 authentication tries coming from the same IP address which doesn’t reply to a challenge ?

Thanks for your support

—
Daniel

—
Joshua Colp says:

September 30, 2019 at 9:00 am

There is not. Asterisk doesn’t keep track of such things.

—
Joshua C. Colp Digium – A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW – Huntsville, AL 35806 – US
Check us out at: http://www.digium.com & http://www.asterisk.org

—
Administrator TOOTAI says:

September 30, 2019 at 10:22 am

Le 30/09/2019 à 15:58, Joshua C. Colp a écrit :

OK, thanks
—
Daniel

—

Security AccountID Unknown – PJSIP

4 thoughts on - Security AccountID Unknown – PJSIP

Recommended

Recent Questions

Categories

FAQs Archive

Posts By Date

Recommended

Recent Questions

Categories

FAQs Archive

Posts By Date

4 thoughts on - Security AccountID Unknown – PJSIP

Recommended

Recent Questions

Frequent Terms

Categories

FAQs Archive

Posts By Date

Recommended

Frequent Terms

Recent Questions

Categories

FAQs Archive

Posts By Date