Hello Hans,
maybe I don't rember SIP & Asterisk well, but I THINK it's absolutely
possible to place a call from one Asterisk Server to another one
without at SIP Provider in between.
Imagine a (big) company with branches running a server at every site.
But maybe I'm wrong....
But for other setups you're right. For example, on my asterisk machine
firewall is closed except the (few) IP adresses my SIP provider told
me
Norbert
-------- Ursprüngliche Nachricht --------
Von: aster...@a-domani.nl
Datum: 30.08.18 12:04 (GMT+02:00)
An: Asterisk Users Mailing List - Non-Commercial Discussion
<asterisk-users@lists.digium.com>
Betreff: Re: [asterisk-users] getting invites to rtp ports ??
Regarding this thread,
I was wondering, why would anybody opens his firewall (for incoming
traffic), for anybody else, besides his own SIP-provider?
Isn't that the proper way for having your firewall configured: always,
by default closed, unless explicitly required.
(but perhaps I'm missing a legitimate use-case)
Hans
On 2018-08-30 04:52, Matthew Jordan wrote:
On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group
<supp...@telium.ca> wrote:
Depending on log trolling (Asterisk security log) misses a lot, and
also depends on the SIP/PJSIP folks to not change message structure
(which has already happened numerous time). If you are
comfortable
hacking chan_sip.c you may prefer to get the same messages from the
AMI. It still misses a lot but that approach is better than
nothing.
Digium warns not to use fail2ban / log trolling as a security
system: http://forums.asterisk.org/viewtopic.php?p=159984
That's some pretty old advice.
The rationale for *not* using general log messages with fail2ban
still
stands: the general WARNING/NOTICE/etc. log messages are subject to
change between versions, and no one wants that to impact someone's
security. So you should not use those messages as input into
fail2ban.
That rationale did lead to the 'security' event type in log
messages.
Security Event Logging - as it is called - got added into Asterisk
quite some time ago. So long ago I'm really not sure which version.
At
a minimum, Asterisk 11, but I'm pretty sure it was in 10 as well.
Documentation for it can be found here:
https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
And here:
https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration
Note that this also fires off AMI events (and ARI events, IIRC).
If, for whatever reason, you do not get a SECURITY log message or a
corresponding event when something 'bad' happens, that would be
worth
some additional discussion. If anything, the events can be a bit
chatty...
-----Original Message-----
From: asterisk-users
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of sean
darcy
Sent: Wednesday, August 29, 2018 6:33 PM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] getting invites to rtp ports ??
On 08/29/2018 11:59 AM, Telium Support Group wrote:
Block a single IP is the wrong approach (whack-a-mole). You
should consider a more comprehensive approach to securing your VoIP
environment. Have a look at this wiki:
https://www.voip-info.org/asterisk-security/
-----Original Message-----
From: asterisk-users
[mailto:asterisk-users-boun...@lists.digium.com]
On Behalf Of sean darcy
Sent: Wednesday, August 29, 2018 10:46 AM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] getting invites to rtp ports ??
On 08/29/2018 09:42 AM, Carlos Rojas wrote:
Hi
Probably somebody is trying to hack your system, you should block
that ip on your firewall.
Regards
On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandar...@gmail.com
<mailto:seandar...@gmail.com>> wrote:
I'm getting invites to very high ports every 30 seconds from
a
particular ip address:
Retransmitting #10 (NAT) to 5.199.133.128:52734 [1]
<http://5.199.133.128:52734>:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
From: <sip:37120116780191250@67.80.191.250
<mailto:sip%3A37120116780191250@67.80.191.250>>;tag=1872048972
To: <sip:3712011972592181418@67.80.191.250
<mailto:sip%3A3712011972592181418@67.80.191.250>>;tag=as3a52e748
Call-ID: 1504207870-295758084-609228182
CSeq: 1 INVITE
.......
WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
1504207870-295758084-609228182...
I thought invites had to go to port 5060 or so. I don't
understand
why somebody (let's assume a bad guy) is trying ports above
50000.
sean
Ok, so the high port is not the destination port but the source
port.
So I hacked the log warning in chan_sip.c on non-critical invites
to show the source ip:
ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
%s.\n",
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
With that in the log, I'm now blocking the ip addresses.
Thanks,
sean
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com
--
Astricon is coming up October 9-11! Signup is available at:
https://www.asterisk.org/community/astricon-user-conference
Check out the new Asterisk community forum at:
https://community.asterisk.org/
I agree. That's why I hacked chan_sip.c to get the addresses in the
log.
I'm surprised they're not in the log by default. I must be the only
person who gets these "non-critical invites".
sean
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com
--
Astricon is coming up October 9-11! Signup is available at:
https://www.asterisk.org/community/astricon-user-conference
Check out the new Asterisk community forum at:
https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com
--
Astricon is coming up October 9-11! Signup is available at:
https://www.asterisk.org/community/astricon-user-conference
Check out the new Asterisk community forum at:
https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
Matthew Jordan
Digium, Inc. | CTO
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
Links:
------
[1] http://5.199.133.128:52734
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Astricon is coming up October 9-11! Signup is available at:
https://www.asterisk.org/community/astricon-user-conference
Check out the new Asterisk community forum at:
https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
