On Fri, May 27, 2016 at 5:28 PM, Vitor Mazuco <[email protected]> wrote:
> Hi to everybody > > my system is be attack, but I dont know what this means > <snip> > > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting > 'nat' for a peer/user that differs from the global setting can make > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that > peer/user discoverable by an attacker. Replies for non-existent > peers/users > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a > different port than replies for an existing peer/user. If at all > possible, > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' > setting and do not set 'nat' per peer/user. > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='132' > global force_rport='No' peer/user force_rport='Yes') > > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting > 'nat' for a peer/user that differs from the global setting can make > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that > peer/user discoverable by an attacker. Replies for non-existent > peers/users > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a > different port than replies for an existing peer/user. If at all > possible, > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' > setting and do not set 'nat' per peer/user. > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='133' > global force_rport='No' peer/user force_rport='Yes') > > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting > 'nat' for a peer/user that differs from the global setting can make > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that > peer/user discoverable by an attacker. Replies for non-existent > peers/users > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a > different port than replies for an existing peer/user. If at all > possible, > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' > setting and do not set 'nat' per peer/user. > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='134' > global force_rport='No' peer/user force_rport='Yes') > > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting > 'nat' for a peer/user that differs from the global setting can make > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that > peer/user discoverable by an attacker. Replies for non-existent > peers/users > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a > different port than replies for an existing peer/user. If at all > possible, > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' > setting and do not set 'nat' per peer/user. > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='135' > global force_rport='No' peer/user force_rport='Yes') > > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting > 'nat' for a peer/user that differs from the global setting can make > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that > peer/user discoverable by an attacker. Replies for non-existent > peers/users > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a > different port than replies for an existing peer/user. If at all > possible, > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' > setting and do not set 'nat' per peer/user. > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='136' > global force_rport='No' peer/user force_rport='Yes') > > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting > 'nat' for a peer/user that differs from the global setting can make > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that > peer/user discoverable by an attacker. Replies for non-existent > peers/users > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a > different port than replies for an existing peer/user. If at all > possible, > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' > setting and do not set 'nat' per peer/user. > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config > category='1000' global force_rport='No' peer/user force_rport='Yes') > [May 27 15:52:33] NOTICE[2306] chan_sip.c: The 'username' field for > sip peers has been deprecated in favor of the term 'defaultuser' > > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting > 'nat' for a peer/user that differs from the global setting can make > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that > peer/user discoverable by an attacker. Replies for non-existent > peers/users > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a > different port than replies for an existing peer/user. If at all > possible, > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' > setting and do not set 'nat' per peer/user. > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config > category='1003' global force_rport='No' peer/user force_rport='Yes') > > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting > 'nat' for a peer/user that differs from the global setting can make > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that > peer/user discoverable by an attacker. Replies for non-existent > peers/users > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a > different port than replies for an existing peer/user. If at all > possible, > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' > setting and do not set 'nat' per peer/user. > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config > category='2000' global force_rport='No' peer/user force_rport='Yes') > > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting > 'nat' for a peer/user that differs from the global setting can make > [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that > peer/user discoverable by an attacker. Replies for non-existent > peers/users > > What happen with my Asterisk, and how to protect with this? > Your system is not under attack. You have a configuration mismatch between the global SIP nat setting and the per peer/user nat setting for the indicated peer/users. The warning messages are indicating a potential security vulnerability in your configuration for each peer/user and are describing what can happen and what you need to do if those peer/users are exposed to the outside world. Your global SIP nat setting is NO for force_rport and several peers are set to YES for force_rport. In simplest terms only use the global SIP nat setting and do not use the per peer/user nat settings. Richard
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
