Lonnie, thanks for helping. I am using Asterisk 11, without acl.conf. Just deny/permit in sip.conf.
Dominko ----- Original Message ----- From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net> Cc: Sent: Friday, May 17, 2013 12:53 AM Subject: Re: [Astlinux-users] Adaptive Ban plugin Followup, I'd like to hear from others with their comments. I tested with Asterisk 11, the long supported deny/permit in sip.conf will generate the "acl.c:.. Rejecting 'ip.xx.xx.xx'..." logs as noted below with a failed attempt outside of the deny/permit range. The question for others here, is such a failure worthy for the Adaptive Ban plugin to match and blacklist the IP address ? The value of banning such an IP is not as useful as the case where this attacker is brute forcing passwords, since the ACL will always fail, but if this is a sign of a real attacking IP address then any clue to ban them is a good thing. Other than misconfiguration, I can't think of a case when this would be a false positive or caused by a dialing error. Should such a log cause the Adaptive Ban plugin to match and possibly ban ? Lonnie On May 16, 2013, at 11:34 AM, Lonnie Abelbeck wrote: > Hi Dominko, > > Thanks for the log data, I can't find that acl.c log in Asterisk 1.8, that > log appears to have been added with Asterisk 11... > -- > main/acl.c: 748: ast_log(LOG_NOTICE, "%sRejecting '%s' due to a failure to > pass ACL '%s'\n", purpose ? purpose : "", ast_sockaddr_stringify_addr(addr), > ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name); > -- > > At quick glance it seems like a good addition for the Adaptive Ban plugin to > match on, let me look into it some more. > > Are you using the new acl.conf feature in Asterisk 11 ? Together with > -- > acl=named_acl_example ; Use named ACLs defined in acl.conf > -- > Or are you just using deny/permit in sip.conf ? > > > Lonnie > > > > On May 16, 2013, at 9:06 AM, Dominko Vrljic wrote: > >> Hi all, >> for several days I can see in my astlinux logs: >> May 16 00:48:05 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 1002<sip:1002@95.56.155.46>;tag=9a886c0a >> May 16 00:48:07 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 1002<sip:1002@95.56.155.46>;tag=c6a61c5c >> May 16 00:48:08 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 1002<sip:1002@95.56.155.46>;tag=64baef1c >> May 16 00:48:09 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 1002<sip:1002@95.56.155.46>;tag=5226ddea >> May 16 02:14:27 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 1003<sip:1003@95.56.155.46>;tag=d87e3a60 >> May 16 02:14:28 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 1003<sip:1003@95.56.155.46>;tag=61408c7d >> May 16 02:14:29 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 1003<sip:1003@95.56.155.46>;tag=09c2a9c0 >> >> >> and this: >> May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 in >> ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure to >> pass ACL '(BASELINE)' >> May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 300<sip:6000@95.56.155.240>;tag=3d36f9b6 >> May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 in >> ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure to >> pass ACL '(BASELINE)' >> May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 300<sip:6000@95.56.155.240>;tag=23dbb252 >> May 16 14:37:59 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 in >> ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure to >> pass ACL '(BASELINE)' >> May 16 14:37:59 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 300<sip:6000@95.56.155.240>;tag=d9feaa3a >> May 16 14:38:00 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 in >> ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure to >> pass ACL '(BASELINE)' >> May 16 14:38:00 pbx local0.notice asterisk[1373]: NOTICE[1405]: >> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >> 300<sip:6000@95.56.155.240>;tag=07e1bfe9 >> >> >> In first logs there is no source ip address of an attacker and I do not >> except from adaptive ban to protect me. >> But in second case there is ip address of attacker but adaptive ban does not >> banned the ip address. >> In script adaptive-ban-helper I do not see something like "Failed to >> authenticate device" nor "Rejecting * due to a failure to pass"!? >> Can we improve this script for better protection? >> In second case the attacker already knows range of my extensions:-( >> >> >> Thanks, >> Dominko > > > ------------------------------------------------------------------------------ > AlienVault Unified Security Management (USM) platform delivers complete > security visibility with the essential security capabilities. Easily and > efficiently configure, manage, and operate all of your security controls > from a single console and one unified framework. Download a free trial. > http://p.sf.net/sfu/alienvault_d2d > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
