humm, ok. Thanks very much
2016-05-27 19:56 GMT-03:00, Richard Mudgett <[email protected]>: > On Fri, May 27, 2016 at 5:28 PM, Vitor Mazuco <[email protected]> > wrote: > >> Hi to everybody >> >> my system is be attack, but I dont know what this means >> > > <snip> > >> >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting >> 'nat' for a peer/user that differs from the global setting can make >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that >> peer/user discoverable by an attacker. Replies for non-existent >> peers/users >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a >> different port than replies for an existing peer/user. If at all >> possible, >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' >> setting and do not set 'nat' per peer/user. >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='132' >> global force_rport='No' peer/user force_rport='Yes') >> > > > >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting >> 'nat' for a peer/user that differs from the global setting can make >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that >> peer/user discoverable by an attacker. Replies for non-existent >> peers/users >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a >> different port than replies for an existing peer/user. If at all >> possible, >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' >> setting and do not set 'nat' per peer/user. >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='133' >> global force_rport='No' peer/user force_rport='Yes') >> > > > >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting >> 'nat' for a peer/user that differs from the global setting can make >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that >> peer/user discoverable by an attacker. Replies for non-existent >> peers/users >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a >> different port than replies for an existing peer/user. If at all >> possible, >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' >> setting and do not set 'nat' per peer/user. >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='134' >> global force_rport='No' peer/user force_rport='Yes') >> > > > >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting >> 'nat' for a peer/user that differs from the global setting can make >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that >> peer/user discoverable by an attacker. Replies for non-existent >> peers/users >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a >> different port than replies for an existing peer/user. If at all >> possible, >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' >> setting and do not set 'nat' per peer/user. >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='135' >> global force_rport='No' peer/user force_rport='Yes') >> > > > >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting >> 'nat' for a peer/user that differs from the global setting can make >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that >> peer/user discoverable by an attacker. Replies for non-existent >> peers/users >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a >> different port than replies for an existing peer/user. If at all >> possible, >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' >> setting and do not set 'nat' per peer/user. >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config category='136' >> global force_rport='No' peer/user force_rport='Yes') >> > > > >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting >> 'nat' for a peer/user that differs from the global setting can make >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that >> peer/user discoverable by an attacker. Replies for non-existent >> peers/users >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a >> different port than replies for an existing peer/user. If at all >> possible, >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' >> setting and do not set 'nat' per peer/user. >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config >> category='1000' global force_rport='No' peer/user force_rport='Yes') >> [May 27 15:52:33] NOTICE[2306] chan_sip.c: The 'username' field for >> sip peers has been deprecated in favor of the term 'defaultuser' >> > > > >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting >> 'nat' for a peer/user that differs from the global setting can make >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that >> peer/user discoverable by an attacker. Replies for non-existent >> peers/users >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a >> different port than replies for an existing peer/user. If at all >> possible, >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' >> setting and do not set 'nat' per peer/user. >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config >> category='1003' global force_rport='No' peer/user force_rport='Yes') >> > > > >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting >> 'nat' for a peer/user that differs from the global setting can make >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that >> peer/user discoverable by an attacker. Replies for non-existent >> peers/users >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! will be sent to a >> different port than replies for an existing peer/user. If at all >> possible, >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! use the global 'nat' >> setting and do not set 'nat' per peer/user. >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! (config >> category='2000' global force_rport='No' peer/user force_rport='Yes') >> > > > >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! PLEASE NOTE: Setting >> 'nat' for a peer/user that differs from the global setting can make >> [May 27 15:52:33] WARNING[2306] chan_sip.c: !!! the name of that >> peer/user discoverable by an attacker. Replies for non-existent >> peers/users >> >> What happen with my Asterisk, and how to protect with this? >> > > Your system is not under attack. You have a configuration mismatch between > the > global SIP nat setting and the per peer/user nat setting for the indicated > peer/users. > The warning messages are indicating a potential security vulnerability in > your > configuration for each peer/user and are describing what can happen and > what you > need to do if those peer/users are exposed to the outside world. > > Your global SIP nat setting is NO for force_rport and several peers are set > to YES > for force_rport. > > In simplest terms only use the global SIP nat setting and do not use the > per peer/user > nat settings. > > Richard > -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
