Why do attacks from the Internet get shown in the Asterisk logs with myAsteriskServerIP instead of the attacker's IP?! Really useful for blocking them, that is... Example: [Mar 6 00:00:00] NOTICE[1926] chan_sip.c: Failed to authenticate user 5550000<sip:5550000@myAsteriskServerIP>;tag=ab8537ae (I replaced our IP address with myAsteriskServerIP. The attacks are not coming from itself!) This affects e.g. Asterisk 1.4.24, 1.6.0.22 and 1.8.0 Ref: http://forums.digium.com/viewtopic.php?t=74947 Ref: http://forums.digium.com/viewtopic.php?f=1 <http://forums.digium.com/viewtopic.php?f=1&t=77070> &t=77070 Similar messages from those threads (1 line each): -- Executing [123456@from-sip-external:1] NoOp("SIP/mypbx.com-00000751", "Received incoming SIP connection from unknown peer to 123456") in new stack Aug 7 23:32:03 mypbx asterisk[3686]: NOTICE[27307]: chan_sip.c:18047 in handle_request_invite: Failed to authenticate user <sip:[email protected]>;tag=1660ec63
Aug 8 00:03:50 mypbx asterisk[3686]: NOTICE[27307]: chan_sip.c:18044 in handle_request_invite: Sending fake auth rejection for user <sip:[email protected]>;tag=e6786d03 NOTICE[2578]: chan_sip.c:21250 handle_request_invite: Sending fake auth rejection for device "w"<sip:user@asterisk-ip;transport=UDP>;tag=8f2b8d05 So there are at least 3 different SIP messages where the IP address is not logged, 2 of which do not seem to have a work-around like: alwaysauthreject=yes allowguest=no The above works around the unknown peer issue, but that really be logging the IP address too! Those two or three users on the forums and I would like to use Fail2Ban with Asterisk to block hackers... http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk ... and I expect others would appreciate logging hackers' IP addresses too! It is also useful for debugging purposes when setting up users to have their IP addresses too. Is there any known solution or patch available? Unpatched, I consider this a security vulnerability, because, even if one uses filthy passwords, it can cause a DOS and fill up your log files and your disk until there is no space left. The only solution to avoid that is to bock the attackers quickly (or have something to manage your logs, or not log it I guess). I've got about 1 GB worth of attacks in my logs from 2 weeks on 1 server... Based on the output in this issue: https://issues.asterisk.org/view.php?id=18334 it looks like the issue remains in 1.6.2.14 and 1.8.0... Kind regards, SebA
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
