OK, Thanks. I have a couple of questions -- the line numbers do not match exactly, so can you tell me a couple of lines before and after the line in question? Also, when will this be logged, if its only during sip debug, I need to change it to log when I can see it more readily.
Thanks. On Wed, 29 Aug 2018 20:31:15 -0400, sean darcy wrote: > > On 08/29/2018 08:07 PM, John Covici wrote: > > I wonder if I could have that patch, maybe I could add it to my > > fail2ban regexp and if you have the correct regexp, I would apperciate > > that as well. > > > > Thanks. > > > > On Wed, 29 Aug 2018 19:18:29 -0400, > > Telium Support Group wrote: > >> > >> Depending on log trolling (Asterisk security log) misses a lot, and also > >> depends on the SIP/PJSIP folks to not change message structure (which has > >> already happened numerous time). If you are comfortable hacking > >> chan_sip.c you may prefer to get the same messages from the AMI. It still > >> misses a lot but that approach is better than nothing. > >> > >> Digium warns not to use fail2ban / log trolling as a security system: > >> http://forums.asterisk.org/viewtopic.php?p=159984 > >> > >> > >> -----Original Message----- > >> From: asterisk-users [mailto:[email protected]] On > >> Behalf Of sean darcy > >> Sent: Wednesday, August 29, 2018 6:33 PM > >> To: [email protected] > >> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >> > >> On 08/29/2018 11:59 AM, Telium Support Group wrote: > >>> Block a single IP is the wrong approach (whack-a-mole). You should > >>> consider a more comprehensive approach to securing your VoIP environment. > >>> Have a look at this wiki: > >>> > >>> https://www.voip-info.org/asterisk-security/ > >>> > >>> > >>> > >>> -----Original Message----- > >>> From: asterisk-users [mailto:[email protected]] > >>> On Behalf Of sean darcy > >>> Sent: Wednesday, August 29, 2018 10:46 AM > >>> To: [email protected] > >>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >>> > >>> On 08/29/2018 09:42 AM, Carlos Rojas wrote: > >>>> Hi > >>>> > >>>> Probably somebody is trying to hack your system, you should block > >>>> that ip on your firewall. > >>>> > >>>> Regards > >>>> > >>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <[email protected] > >>>> <mailto:[email protected]>> wrote: > >>>> > >>>> I'm getting invites to very high ports every 30 seconds from a > >>>> particular ip address: > >>>> > >>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 > >>>> <http://5.199.133.128:52734>: > >>>> SIP/2.0 401 Unauthorized > >>>> Via: SIP/2.0/UDP > >>>> > >>>> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > >>>> From: <sip:[email protected] > >>>> <mailto:sip%[email protected]>>;tag=1872048972 > >>>> To: <sip:[email protected] > >>>> <mailto:sip%[email protected]>>;tag=as3a52e748 > >>>> Call-ID: 1504207870-295758084-609228182 > >>>> CSeq: 1 INVITE > >>>> ....... > >>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > >>>> 1504207870-295758084-609228182... > >>>> > >>>> I thought invites had to go to port 5060 or so. I don't understand > >>>> why somebody (let's assume a bad guy) is trying ports above 50000. > >>>> > >>>> sean > >>>> > >>>> > >>> > >>> Ok, so the high port is not the destination port but the source port. > >>> > >>> So I hacked the log warning in chan_sip.c on non-critical invites to show > >>> the source ip: > >>> > >>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > >>> %s.\n", > >>> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > >>> > >>> With that in the log, I'm now blocking the ip addresses. > >>> > >>> Thanks, > >>> sean > >>> > >>> > >>> -- > >>> _____________________________________________________________________ > >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >>> > >>> Astricon is coming up October 9-11! Signup is available at: > >>> https://www.asterisk.org/community/astricon-user-conference > >>> > >>> Check out the new Asterisk community forum at: > >>> https://community.asterisk.org/ > >>> > >> > >> I agree. That's why I hacked chan_sip.c to get the addresses in the log. > >> > >> I'm surprised they're not in the log by default. I must be the only person > >> who gets these "non-critical invites". > >> > >> sean > >> > >> > >> > >> -- > >> _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >> > >> Astricon is coming up October 9-11! Signup is available at: > >> https://www.asterisk.org/community/astricon-user-conference > >> > >> Check out the new Asterisk community forum at: > >> https://community.asterisk.org/ > >> > >> New to Asterisk? Start here: > >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > >> > >> -- > >> _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >> > >> Astricon is coming up October 9-11! Signup is available at: > >> https://www.asterisk.org/community/astricon-user-conference > >> > >> Check out the new Asterisk community forum at: > >> https://community.asterisk.org/ > >> > >> New to Asterisk? Start here: > >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > > > The patch, more accurately a hack, is in my second post above. > > chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic > invite trans from %s.\n", > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > > The added second %s shows the ip address of the pkt owner. > > I wouldn't submit it in a coding class ! > > sean > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una [email protected] -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
