On Thu, Aug 30, 2018 at 6:02 AM John Covici <cov...@ccs.covici.com> wrote:
> I agree, but is it possible to try over and over with anything other > than the challenge warning in the security log as sean suggested and > put a patch for? > I don't think I understand your question. You shouldn't need a patch if you are using the SECURITY log. The thread above is suggesting patching the source code to hijack a WARNING message for the purposes of tracing security information; my point is that you should have a specific SECURITY log message that already serves that purpose. > > On Wed, 29 Aug 2018 22:52:05 -0400, > Matthew Jordan wrote: > > > > [1 <multipart/alternative (7bit)>] > > [1.1 <text/plain; UTF-8 (7bit)>] > > [1.2 <text/html; UTF-8 (quoted-printable)>] > > On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <supp...@telium.ca> > wrote: > > > > Depending on log trolling (Asterisk security log) misses a lot, and > also depends on the SIP/PJSIP folks to not change message structure (which > has already happened numerous time). If you are comfortable hacking > chan_sip.c you may > > prefer to get the same messages from the AMI. It still misses a lot > but that approach is better than nothing. > > > > Digium warns not to use fail2ban / log trolling as a security system: > http://forums.asterisk.org/viewtopic.php?p=159984 > > > > That's some pretty old advice. > > > > The rationale for *not* using general log messages with fail2ban still > stands: the general WARNING/NOTICE/etc. log messages are subject to change > between versions, and no one wants that to impact someone's security. So > you should not use > > those messages as input into fail2ban. > > > > That rationale did lead to the 'security' event type in log messages. > Security Event Logging - as it is called - got added into Asterisk quite > some time ago. So long ago I'm really not sure which version. At a minimum, > Asterisk 11, but > > I'm pretty sure it was in 10 as well. > > > > Documentation for it can be found here: > > > > > https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger > > > > And here: > > > > https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration > > > > Note that this also fires off AMI events (and ARI events, IIRC). > > > > If, for whatever reason, you do not get a SECURITY log message or a > corresponding event when something 'bad' happens, that would be worth some > additional discussion. If anything, the events can be a bit chatty... > > > > > > -----Original Message----- > > From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] > On Behalf Of sean darcy > > Sent: Wednesday, August 29, 2018 6:33 PM > > To: asterisk-users@lists.digium.com > > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > > > On 08/29/2018 11:59 AM, Telium Support Group wrote: > > > Block a single IP is the wrong approach (whack-a-mole). You should > consider a more comprehensive approach to securing your VoIP environment. > Have a look at this wiki: > > > > > > https://www.voip-info.org/asterisk-security/ > > > > > > > > > > > > -----Original Message----- > > > From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] > > > > On Behalf Of sean darcy > > > Sent: Wednesday, August 29, 2018 10:46 AM > > > To: asterisk-users@lists.digium.com > > > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > > > > > On 08/29/2018 09:42 AM, Carlos Rojas wrote: > > >> Hi > > >> > > >> Probably somebody is trying to hack your system, you should block > > >> that ip on your firewall. > > >> > > >> Regards > > >> > > >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandar...@gmail.com > > >> <mailto:seandar...@gmail.com>> wrote: > > >> > > >> I'm getting invites to very high ports every 30 seconds from a > > >> particular ip address: > > >> > > >> Retransmitting #10 (NAT) to 5.199.133.128:52734 > > >> <http://5.199.133.128:52734>: > > >> SIP/2.0 401 Unauthorized > > >> Via: SIP/2.0/UDP > > >> 0.0.0.0:52734 > ;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > > >> From: <sip:37120116780191250@67.80.191.250 > > >> <mailto:sip%3A37120116780191250@67.80.191.250>>;tag=1872048972 > > >> To: <sip:3712011972592181418@67.80.191.250 > > >> <mailto:sip%3A3712011972592181418@67.80.191.250 > >>;tag=as3a52e748 > > >> Call-ID: 1504207870-295758084-609228182 > > >> CSeq: 1 INVITE > > >> ....... > > >> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > > >> 1504207870-295758084-609228182... > > >> > > >> I thought invites had to go to port 5060 or so. I don't > understand > > >> why somebody (let's assume a bad guy) is trying ports above > 50000. > > >> > > >> sean > > >> > > >> > > > > > > Ok, so the high port is not the destination port but the source port. > > > > > > So I hacked the log warning in chan_sip.c on non-critical invites to > show the source ip: > > > > > > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > > > %s.\n", > > > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > > > > > > With that in the log, I'm now blocking the ip addresses. > > > > > > Thanks, > > > sean > > > > > > > > > -- > > > _____________________________________________________________________ > > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > > > Astricon is coming up October 9-11! Signup is available at: > > > https://www.asterisk.org/community/astricon-user-conference > > > > > > Check out the new Asterisk community forum at: > > > https://community.asterisk.org/ > > > > > > > I agree. That's why I hacked chan_sip.c to get the addresses in the log. > > > > I'm surprised they're not in the log by default. I must be the only > person who gets these "non-critical invites". > > > > sean > > > > -- > > _____________________________________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > > > New to Asterisk? Start here: > > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > -- > > _____________________________________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > > > New to Asterisk? Start here: > > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > -- > > Matthew Jordan > > Digium, Inc. | CTO > > 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA > > Check us out at: http://digium.com & http://asterisk.org > > [2 <text/plain; utf-8 (base64)>] > > -- > > _____________________________________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > > > New to Asterisk? Start here: > > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > -- > Your life is like a penny. You're going to lose it. The question is: > How do > you spend it? > > John Covici wb2una > cov...@ccs.covici.com > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users -- Matthew Jordan Digium, Inc. | CTO 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com & http://asterisk.org
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users