Why do you say the credentials are wrong? I guess I'm missing something from the log...? www_authorize is returning 1
Here's the register handling: if (!t_newtran()) { xlog("L_ERR", "Could not make new transation REGISTER - M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n"); sl_reply_error(); exit; } $var(auth_code) = www_authorize("asterisk", "subscriber"); xlog("L_INFO","Auth attempt for $fU@$fd from $si on port $Rp ret $var(auth_code)"); if ( $var(auth_code) == -1 || $var(auth_code) == -2 ) { xlog("L_INFO","Auth error for $fU@$fd from $si cause $var(auth_code)"); } if ( $var(auth_code) < 0 ) { www_challenge("asterisk", "0"); exit; } -- James On Fri, Feb 3, 2012 at 3:23 PM, dotnetdub <dotnet...@gmail.com> wrote: > > > On 3 February 2012 22:41, <duane.lar...@gmail.com> wrote: >> >> What does your whole REGISTER route look like? Maybe you are missing >> something in there and it is allowing someone to register even thought the >> password is wrong. >> > > > Definitely an issue with your script. Somewhere in there you are rejecting > credentials but carrying on anyway... > > > > > > >> >> >> >> >> On , James Lamanna <jlama...@gmail.com> wrote: >> > Hi, >> > >> > I know the phones are not on public IPs. >> > >> > Here is a opensips log of an attacker successfully registering >> > >> > (hashes have been scrubbed) >> > >> > >> > >> > >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:tm:t_newtran: transaction on entrance=(nil) >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:core:parse_headers: flags=ffffffffffffffff >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:core:parse_headers: flags=78 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:tm:t_lookup_request: start searching: hash=22639, isACK=0 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:tm:t_lookup_request: proceeding to pre-RFC3261 transaction >> > >> > matching >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:tm:t_lookup_request: no transaction found >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:tm:run_reqin_callbacks: trans=0x2b9c44a2a3e0, callback type 1, id >> > >> > 0 entered >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:auth:check_nonce: comparing >> > >> > [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b] and >> > >> > [4f2c3e2b00000c63c2838fdbc4296a91dd7866f0c9a7b89b] >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:db_mysql:has_stmt_ctx: ctx found for subscriber >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:db_mysql:db_mysql_do_prepared_query: conn=0x7ee8c0 (tail=8315728) >> > >> > MC=0x7ee3b0 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:db_mysql:db_mysql_do_prepared_query: set values for the statement >> > >> > run >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:db_mysql:db_mysql_val2bind: added val (0): len=5; type=254; >> > >> > is_null=0 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:db_mysql:db_mysql_do_prepared_query: doing BIND_PARAM in... >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:db_mysql:db_mysql_do_prepared_query: prepared statement has 1 >> > >> > columns in result >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:core:db_new_result: allocate 48 bytes for result set at 0x7f2200 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:db_mysql:db_mysql_get_columns: 1 columns returned from the query >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:core:db_allocate_columns: allocate 28 bytes for result columns at >> > >> > 0x7f55a8 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x7f55b0)[0]=[password] >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:core:db_allocate_rows: allocate 48 bytes for result rows and >> > >> > values at 0x7fa080 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:db_mysql:db_mysql_str2val: converting STRING [........] >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:auth_db:get_ha1: HA1 string calculated: ....7ee7c3 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:auth:check_response: our result = ....7f340e' >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:auth:check_response: their response = '.....7f340e", >> > >> > algorithm=MD5#015#012User-Agent: VaxSIPUserAgent/3.0#015#012Expires: >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:auth:check_response: authorization is OK >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:auth:post_auth: nonce index= 3171 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:core:db_free_columns: freeing result columns at 0x7f55a8 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:core:db_free_rows: freeing 1 rows >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:core:db_free_row: freeing row values at 0x7fa090 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:core:db_free_rows: freeing rows at 0x7fa080 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: >> > >> > DBG:core:db_free_result: freeing result set at 0x7f2200 >> > >> > Feb 3 12:05:33 opensips2 /usr/local/sbin/opensips[26313]: Auth >> > >> > attempt for xx...@yy.yy.yy.11 from 74.204.92.217 on port 5060 ret 1 >> > >> > >> > >> > -- James >> > >> > >> > >> > On Thu, Feb 2, 2012 at 12:08 AM, Dovid Bender os-l...@dovid.net> wrote: >> > >> > > James, >> > >> > > >> > >> > > >> > >> > > We have found with out users that some of them put the phones on >> > > public >> > >> > > IP’s. If the default password is not changed, no matter how hard the >> > >> > > password is they will get in. Also try using characters like “@:^#” in >> > > your >> > >> > > passwords. >> > >> > > >> > >> > > >> > >> > > Regards, >> > >> > > >> > >> > > >> > >> > > >> > >> > > Dovid >> > >> > > >> > >> > > >> > >> > > >> > >> > > ________________________________ >> > >> > > >> > >> > > From: users-boun...@lists.opensips.org >> > >> > > [mailto:users-boun...@lists.opensips.org] On Behalf Of aws j >> > >> > > Sent: Thursday, February 02, 2012 06:08 >> > >> > > To: OpenSIPS users mailling list >> > >> > > Subject: Re: [OpenSIPS-Users] SIP Authentication Attacks >> > >> > > >> > >> > > >> > >> > > >> > >> > > Dear Mr James >> > >> > > Can you attached to me your suspect file to make VoIP forensic on it . >> > >> > > thanks >> > >> > > Aws >> > >> > > Msc VoIP security >> > >> > > >> > >> > > 2012/2/1 James Lamanna jlama...@gmail.com> >> > >> > > >> > >> > > Hi, >> > >> > > I've noticed lately that a server of mine is getting repeatedly hit by >> > >> > > an attacker trying to make international calls. >> > >> > > The scary part is that the attacker seems to be able to register >> > >> > > correctly on different extensions, even though each extension has a >> > >> > > different, random password. >> > >> > > I'm not sure how the attacker is getting the passwords or if there's a >> > >> > > man-in-the-middle attack going on, but I would like some suggestions >> > >> > > on how to increase the security of SIP authentication in opensips. >> > >> > > I could enforce security through IP addresses, but I fear that will >> > >> > > become quite cumbersome. >> > >> > > >> > >> > > Thanks. >> > >> > > >> > >> > > -- James >> > >> > > >> > >> > > _______________________________________________ >> > >> > > Users mailing list >> > >> > > Users@lists.opensips.org >> > >> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > >> > > >> > >> > > >> > >> > > _______________________________________________ >> > >> > > Users mailing list >> > >> > > Users@lists.opensips.org >> > >> > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > >> > > >> > >> > >> > >> > _______________________________________________ >> > >> > Users mailing list >> > >> > Users@lists.opensips.org >> > >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > >> > >> >> _______________________________________________ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users