Hi Dominko, Your Adaptive Ban suggestion has been added to the SVN. Thanks!
http://sourceforge.net/p/astlinux/code/6090 Lonnie On May 17, 2013, at 7:09 AM, Dominko Vrljic wrote: > Lonnie, thanks for helping. > I am using Asterisk 11, without acl.conf. Just deny/permit in sip.conf. > > Dominko > > > ----- Original Message ----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net> > Cc: > Sent: Friday, May 17, 2013 12:53 AM > Subject: Re: [Astlinux-users] Adaptive Ban plugin > > Followup, > > I'd like to hear from others with their comments. > > I tested with Asterisk 11, the long supported deny/permit in sip.conf will > generate the "acl.c:.. Rejecting 'ip.xx.xx.xx'..." logs as noted below with a > failed attempt outside of the deny/permit range. > > The question for others here, is such a failure worthy for the Adaptive Ban > plugin to match and blacklist the IP address ? > > The value of banning such an IP is not as useful as the case where this > attacker is brute forcing passwords, since the ACL will always fail, but if > this is a sign of a real attacking IP address then any clue to ban them is a > good thing. > > Other than misconfiguration, I can't think of a case when this would be a > false positive or caused by a dialing error. > > Should such a log cause the Adaptive Ban plugin to match and possibly ban ? > > Lonnie > > > On May 16, 2013, at 11:34 AM, Lonnie Abelbeck wrote: > >> Hi Dominko, >> >> Thanks for the log data, I can't find that acl.c log in Asterisk 1.8, that >> log appears to have been added with Asterisk 11... >> -- >> main/acl.c: 748: ast_log(LOG_NOTICE, "%sRejecting '%s' due to a failure to >> pass ACL '%s'\n", purpose ? purpose : "", ast_sockaddr_stringify_addr(addr), >> ast_strlen_zero(acl->name) ? "(BASELINE)" : acl->name); >> -- >> >> At quick glance it seems like a good addition for the Adaptive Ban plugin to >> match on, let me look into it some more. >> >> Are you using the new acl.conf feature in Asterisk 11 ? Together with >> -- >> acl=named_acl_example ; Use named ACLs defined in acl.conf >> -- >> Or are you just using deny/permit in sip.conf ? >> >> >> Lonnie >> >> >> >> On May 16, 2013, at 9:06 AM, Dominko Vrljic wrote: >> >>> Hi all, >>> for several days I can see in my astlinux logs: >>> May 16 00:48:05 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 1002<sip:1002@95.56.155.46>;tag=9a886c0a >>> May 16 00:48:07 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 1002<sip:1002@95.56.155.46>;tag=c6a61c5c >>> May 16 00:48:08 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 1002<sip:1002@95.56.155.46>;tag=64baef1c >>> May 16 00:48:09 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 1002<sip:1002@95.56.155.46>;tag=5226ddea >>> May 16 02:14:27 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 1003<sip:1003@95.56.155.46>;tag=d87e3a60 >>> May 16 02:14:28 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 1003<sip:1003@95.56.155.46>;tag=61408c7d >>> May 16 02:14:29 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 1003<sip:1003@95.56.155.46>;tag=09c2a9c0 >>> >>> >>> and this: >>> May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 >>> in ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure >>> to pass ACL '(BASELINE)' >>> May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 300<sip:6000@95.56.155.240>;tag=3d36f9b6 >>> May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 >>> in ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure >>> to pass ACL '(BASELINE)' >>> May 16 14:37:58 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 300<sip:6000@95.56.155.240>;tag=23dbb252 >>> May 16 14:37:59 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 >>> in ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure >>> to pass ACL '(BASELINE)' >>> May 16 14:37:59 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 300<sip:6000@95.56.155.240>;tag=d9feaa3a >>> May 16 14:38:00 pbx local0.notice asterisk[1373]: NOTICE[1405]: acl.c:748 >>> in ast_apply_acl: SIP Peer ACL: Rejecting '94.23.248.122' due to a failure >>> to pass ACL '(BASELINE)' >>> May 16 14:38:00 pbx local0.notice asterisk[1373]: NOTICE[1405]: >>> chan_sip.c:25152 in handle_request_invite: Failed to authenticate device >>> 300<sip:6000@95.56.155.240>;tag=07e1bfe9 >>> >>> >>> In first logs there is no source ip address of an attacker and I do not >>> except from adaptive ban to protect me. >>> But in second case there is ip address of attacker but adaptive ban does >>> not banned the ip address. >>> In script adaptive-ban-helper I do not see something like "Failed to >>> authenticate device" nor "Rejecting * due to a failure to pass"!? >>> Can we improve this script for better protection? >>> In second case the attacker already knows range of my extensions:-( >>> >>> >>> Thanks, >>> Dominko ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
