Also, if you have extensions which are external and you don't know their ip addresses.
On Thu, 30 Aug 2018 05:51:56 -0400, norbert wrote: > > [1 <multipart/alternative (7bit)>] > [1.1 <text/plain; utf-8 (base64)>] > [1.2 <text/html; utf-8 (base64)>] > Hello Hans, > > maybe I don't rember SIP & Asterisk well, but I THINK it's absolutely > possible to place a call from one Asterisk Server to another one without at > SIP Provider in between. > > Imagine a (big) company with branches running a server at every site. > > But maybe I'm wrong.... > > But for other setups you're right. For example, on my asterisk machine > firewall is closed except the (few) IP adresses my SIP provider told me > > Norbert > > -------- Ursprüngliche Nachricht -------- > Von: [email protected] > Datum: 30.08.18 12:04 (GMT+02:00) > An: Asterisk Users Mailing List - Non-Commercial Discussion > <[email protected]> > Betreff: Re: [asterisk-users] getting invites to rtp ports ?? > > Regarding this thread, > I was wondering, why would anybody opens his firewall (for incoming > traffic), for anybody else, besides his own SIP-provider? > > Isn't that the proper way for having your firewall configured: always, > by default closed, unless explicitly required. > (but perhaps I'm missing a legitimate use-case) > > Hans > > On 2018-08-30 04:52, Matthew Jordan wrote: > > On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group > > <[email protected]> wrote: > > > >> Depending on log trolling (Asterisk security log) misses a lot, and > >> also depends on the SIP/PJSIP folks to not change message structure > >> (which has already happened numerous time). If you are comfortable > >> hacking chan_sip.c you may prefer to get the same messages from the > >> AMI. It still misses a lot but that approach is better than > >> nothing. > >> > >> Digium warns not to use fail2ban / log trolling as a security > >> system: http://forums.asterisk.org/viewtopic.php?p=159984 > > > > That's some pretty old advice. > > > > The rationale for *not* using general log messages with fail2ban still > > stands: the general WARNING/NOTICE/etc. log messages are subject to > > change between versions, and no one wants that to impact someone's > > security. So you should not use those messages as input into fail2ban. > > > > That rationale did lead to the 'security' event type in log messages. > > Security Event Logging - as it is called - got added into Asterisk > > quite some time ago. So long ago I'm really not sure which version. At > > a minimum, Asterisk 11, but I'm pretty sure it was in 10 as well. > > > > Documentation for it can be found here: > > > > https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger > > > > And here: > > > > https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration > > > > Note that this also fires off AMI events (and ARI events, IIRC). > > > > If, for whatever reason, you do not get a SECURITY log message or a > > corresponding event when something 'bad' happens, that would be worth > > some additional discussion. If anything, the events can be a bit > > chatty... > > > >> -----Original Message----- > >> From: asterisk-users > >> [mailto:[email protected]] On Behalf Of sean > >> darcy > >> Sent: Wednesday, August 29, 2018 6:33 PM > >> To: [email protected] > >> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >> > >> On 08/29/2018 11:59 AM, Telium Support Group wrote: > >>> Block a single IP is the wrong approach (whack-a-mole). You > >> should consider a more comprehensive approach to securing your VoIP > >> environment. Have a look at this wiki: > >>> > >>> https://www.voip-info.org/asterisk-security/ > >>> > >>> > >>> > >>> -----Original Message----- > >>> From: asterisk-users > >> [mailto:[email protected]] > >>> On Behalf Of sean darcy > >>> Sent: Wednesday, August 29, 2018 10:46 AM > >>> To: [email protected] > >>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >>> > >>> On 08/29/2018 09:42 AM, Carlos Rojas wrote: > >>>> Hi > >>>> > >>>> Probably somebody is trying to hack your system, you should block > >> > >>>> that ip on your firewall. > >>>> > >>>> Regards > >>>> > >>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <[email protected] > >> > >>>> <mailto:[email protected]>> wrote: > >>>> > >>>> I'm getting invites to very high ports every 30 seconds from > >> a > >>>> particular ip address: > >>>> > >>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 [1] > >>>> <http://5.199.133.128:52734>: > >>>> SIP/2.0 401 Unauthorized > >>>> Via: SIP/2.0/UDP > >>>> > >> > > 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > >>>> From: <sip:[email protected] > >>>> > >> <mailto:sip%[email protected]>>;tag=1872048972 > >>>> To: <sip:[email protected] > >>>> > >> <mailto:sip%[email protected]>>;tag=as3a52e748 > >>>> Call-ID: 1504207870-295758084-609228182 > >>>> CSeq: 1 INVITE > >>>> ....... > >>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > >>>> 1504207870-295758084-609228182... > >>>> > >>>> I thought invites had to go to port 5060 or so. I don't > >> understand > >>>> why somebody (let's assume a bad guy) is trying ports above > >> 50000. > >>>> > >>>> sean > >>>> > >>>> > >>> > >>> Ok, so the high port is not the destination port but the source > >> port. > >>> > >>> So I hacked the log warning in chan_sip.c on non-critical invites > >> to show the source ip: > >>> > >>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > >>> %s.\n", > >>> > >> > > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > >>> > >>> With that in the log, I'm now blocking the ip addresses. > >>> > >>> Thanks, > >>> sean > >>> > >>> > >>> -- > >>> > >> > > _____________________________________________________________________ > >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com > >> -- > >>> > >>> Astricon is coming up October 9-11! Signup is available at: > >>> https://www.asterisk.org/community/astricon-user-conference > >>> > >>> Check out the new Asterisk community forum at: > >>> https://community.asterisk.org/ > >>> > >> > >> I agree. That's why I hacked chan_sip.c to get the addresses in the > >> log. > >> > >> I'm surprised they're not in the log by default. I must be the only > >> person who gets these "non-critical invites". > >> > >> sean > >> > >> -- > >> > > _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com > >> -- > >> > >> Astricon is coming up October 9-11! Signup is available at: > >> https://www.asterisk.org/community/astricon-user-conference > >> > >> Check out the new Asterisk community forum at: > >> https://community.asterisk.org/ > >> > >> New to Asterisk? Start here: > >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > >> -- > >> > > _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com > >> -- > >> > >> Astricon is coming up October 9-11! Signup is available at: > >> https://www.asterisk.org/community/astricon-user-conference > >> > >> Check out the new Asterisk community forum at: > >> https://community.asterisk.org/ > >> > >> New to Asterisk? Start here: > >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > > > > -- > > Matthew Jordan > > Digium, Inc. | CTO > > 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA > > Check us out at: http://digium.com & http://asterisk.org > > > > Links: > > ------ > > [1] http://5.199.133.128:52734 > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > [2 <text/plain; utf-8 (base64)>] > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una [email protected] -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
