On 08/29/2018 08:07 PM, John Covici wrote:
I wonder if I could have that patch, maybe I could add it to my
fail2ban regexp and if you have the correct regexp, I would apperciate
that as well.
Thanks.
On Wed, 29 Aug 2018 19:18:29 -0400,
Telium Support Group wrote:
Depending on log trolling (Asterisk security log) misses a lot, and also
depends on the SIP/PJSIP folks to not change message structure (which has
already happened numerous time). If you are comfortable hacking chan_sip.c
you may prefer to get the same messages from the AMI. It still misses a lot
but that approach is better than nothing.
Digium warns not to use fail2ban / log trolling as a security system:
http://forums.asterisk.org/viewtopic.php?p=159984
-----Original Message-----
From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] On Behalf
Of sean darcy
Sent: Wednesday, August 29, 2018 6:33 PM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] getting invites to rtp ports ??
On 08/29/2018 11:59 AM, Telium Support Group wrote:
Block a single IP is the wrong approach (whack-a-mole). You should consider a
more comprehensive approach to securing your VoIP environment. Have a look at
this wiki:
https://www.voip-info.org/asterisk-security/
-----Original Message-----
From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com]
On Behalf Of sean darcy
Sent: Wednesday, August 29, 2018 10:46 AM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] getting invites to rtp ports ??
On 08/29/2018 09:42 AM, Carlos Rojas wrote:
Hi
Probably somebody is trying to hack your system, you should block
that ip on your firewall.
Regards
On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandar...@gmail.com
<mailto:seandar...@gmail.com>> wrote:
I'm getting invites to very high ports every 30 seconds from a
particular ip address:
Retransmitting #10 (NAT) to 5.199.133.128:52734
<http://5.199.133.128:52734>:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
From: <sip:37120116780191250@67.80.191.250
<mailto:sip%3A37120116780191250@67.80.191.250>>;tag=1872048972
To: <sip:3712011972592181418@67.80.191.250
<mailto:sip%3A3712011972592181418@67.80.191.250>>;tag=as3a52e748
Call-ID: 1504207870-295758084-609228182
CSeq: 1 INVITE
.......
WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
1504207870-295758084-609228182...
I thought invites had to go to port 5060 or so. I don't understand
why somebody (let's assume a bad guy) is trying ports above 50000.
sean
Ok, so the high port is not the destination port but the source port.
So I hacked the log warning in chan_sip.c on non-critical invites to show the
source ip:
ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
%s.\n",
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
With that in the log, I'm now blocking the ip addresses.
Thanks,
sean
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Astricon is coming up October 9-11! Signup is available at:
https://www.asterisk.org/community/astricon-user-conference
Check out the new Asterisk community forum at:
https://community.asterisk.org/
I agree. That's why I hacked chan_sip.c to get the addresses in the log.
I'm surprised they're not in the log by default. I must be the only person who gets these
"non-critical invites".
sean
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Astricon is coming up October 9-11! Signup is available at:
https://www.asterisk.org/community/astricon-user-conference
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Astricon is coming up October 9-11! Signup is available at:
https://www.asterisk.org/community/astricon-user-conference
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
The patch, more accurately a hack, is in my second post above.
chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic invite
trans from %s.\n",
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
The added second %s shows the ip address of the pkt owner.
I wouldn't submit it in a coding class !
sean
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Astricon is coming up October 9-11! Signup is available at:
https://www.asterisk.org/community/astricon-user-conference
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users