Hi Dominko, Thanks for the log data, I can't find that acl.c log in Asterisk 1.8, that log appears to have been added with Asterisk 11... -- main/acl.c: 748: ast_log(LOG_NOTICE, "%sRejecting '%s' due to a failure to pass ACL '%s'\n", purpose ? purpose : "", ast_sockaddr_stringify_addr(addr), ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name); --
At quick glance it seems like a good addition for the Adaptive Ban plugin to match on, let me look into it some more. Are you using the new acl.conf feature in Asterisk 11 ? Together with -- acl=named_acl_example ; Use named ACLs defined in acl.conf -- Or are you just using deny/permit in sip.conf ? Lonnie On May 16, 2013, at 9:06 AM, Dominko Vrljic wrote: > Hi all, > for several days I can see in my astlinux logs: > May 16 00:48:05 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 1002<sip:1002@95.56.155.46>;tag=9a886c0a > May 16 00:48:07 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 1002<sip:1002@95.56.155.46>;tag=c6a61c5c > May 16 00:48:08 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 1002<sip:1002@95.56.155.46>;tag=64baef1c > May 16 00:48:09 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 1002<sip:1002@95.56.155.46>;tag=5226ddea > May 16 02:14:27 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 1003<sip:1003@95.56.155.46>;tag=d87e3a60 > May 16 02:14:28 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 1003<sip:1003@95.56.155.46>;tag=61408c7d > May 16 02:14:29 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 1003<sip:1003@95.56.155.46>;tag=09c2a9c0 > > > and this: > May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 in > ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure to > pass ACL '(BASELINE)' > May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 300<sip:6000@95.56.155.240>;tag=3d36f9b6 > May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 in > ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure to > pass ACL '(BASELINE)' > May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 300<sip:6000@95.56.155.240>;tag=23dbb252 > May 16 14:37:59 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 in > ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure to > pass ACL '(BASELINE)' > May 16 14:37:59 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 300<sip:6000@95.56.155.240>;tag=d9feaa3a > May 16 14:38:00 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 in > ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure to > pass ACL '(BASELINE)' > May 16 14:38:00 pbx local0.notice asterisk[1373]: NOTICE[1405]: > chan_sip.c:25152 in handle_request_invite: Failed to authenticate device > 300<sip:6000@95.56.155.240>;tag=07e1bfe9 > > > In first logs there is no source ip address of an attacker and I do not > except from adaptive ban to protect me. > But in second case there is ip address of attacker but adaptive ban does not > banned the ip address. > In script adaptive-ban-helper I do not see something like "Failed to > authenticate device" nor "Rejecting * due to a failure to pass"!? > Can we improve this script for better protection? > In second case the attacker already knows range of my extensions:-( > > > Thanks, > Dominko ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
