Re: [asterisk-users] Decoding SIP register hack
On 05/17/2018 04:47 PM, Daniel Tryba wrote: On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote: WARNING.* .*: fail2ban='' # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = Thanks. Very useful as a tutorial for fail2ban. But I don't think it covers this SIP hack. This guy isn't trying to register. His filter doesn't only trigger on REGISTERs, see the last line of the matches and the context for guests (which logs the pattern of the last line of the filter on an INVITE). I'm far from a regex expert, but I don't think that last line would capture anything in the invite. In fact, asterisk doesn't throw any WARNING at all for this INVITE. I'm not sure, but I don't even see how you can get asterisk to log these invites at all. There's no heading such as WARNING( or NOTICE, SECURITY, etc). That why I find it puzzling. What is he trying to do ? There are sip servers publicly reachable that will relay INVITEs, make sure yours aren't. And there are only 2 kinds of operators of sip server: -those that have been the victim of toll fraud -those that will be the victim of toll fraud You can do nothing to stop this kind of traffic. The only thing you can do is block it, either using only a whitelist (cumbersome) or generate a blacklist with for example fail2ban or a more elaborate honeypot setup. Or setup a proxy that will filter patterns you discover from BTW this is not a person, this is an automated script, running most likely on compromised machines and sending spoofed ips. These scripts care about generating a ring on a phone (again most an abuseable/hacked account (or purchased with CC fraud)). If they find a server that does, it will be targetted for all kind of fraud. Very interesting. sen -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Decoding SIP register hack
On Thu, 17 May 2018, Daniel Tryba wrote: You can do nothing to stop this kind of traffic. The only thing you can do is block it, either using only a whitelist (cumbersome) or generate a blacklist with for example fail2ban or a more elaborate honeypot setup. Or setup a proxy that will filter patterns you discover from Keep in mind that since this is UDP, source addresses can be spoofed so any automated solution will need a whitelist so you don't get tricked into blocking legitimate traffic. And since you 'need a whitelist' why not just use that and block everything else? A clever solution to a mobile user base is to use knockd to allow remote access. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Decoding SIP register hack
On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote: > > WARNING.* .*: fail2ban='' > > > ># Option: ignoreregex > ># Notes.: regex to ignore. If this regex matches, the line is ignored. > ># Values: TEXT > ># > >ignoreregex = > > > > > Thanks. Very useful as a tutorial for fail2ban. > > But I don't think it covers this SIP hack. This guy isn't trying to > register. His filter doesn't only trigger on REGISTERs, see the last line of the matches and the context for guests (which logs the pattern of the last line of the filter on an INVITE). > That why I find it puzzling. What is he trying to do ? There are sip servers publicly reachable that will relay INVITEs, make sure yours aren't. And there are only 2 kinds of operators of sip server: -those that have been the victim of toll fraud -those that will be the victim of toll fraud You can do nothing to stop this kind of traffic. The only thing you can do is block it, either using only a whitelist (cumbersome) or generate a blacklist with for example fail2ban or a more elaborate honeypot setup. Or setup a proxy that will filter patterns you discover from BTW this is not a person, this is an automated script, running most likely on compromised machines and sending spoofed ips. These scripts care about generating a ring on a phone (again most an abuseable/hacked account (or purchased with CC fraud)). If they find a server that does, it will be targetted for all kind of fraud. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] AMI status events with res_fax_spandsp.so
Is anyone else using the AMI with res_fax_spandsp.so for real-time status? I am working on migrating a FAX application from res_fax_digium.so to res_fax_spandsp.so. I have noticed that the spandsp module generates far fewer AMI status events than the Digium module and the generated events contain less information. For example when sending a fax there is no longer an event for every page. There are just a few FaxStatus events at the beginning and a couple at the end but they don’t contain many details. I can pull the required information from the Asterisk console by running fax show session but that output isn’t suitable for parsing. There doesn’t seem to be a great deal of information about res_fax_spandsp.so via Google. FaxStatus with res_fax_spandsp.so Event: FAXStatus Privilege: call,all Operation: send Status: FAX Transmission In Progress Channel: Local/1952253@from-internal-user-0001;1 Context: send_fax Exten: s CallerID: 1763210 LocalStationID: 1763210 FileName: /tmp/faxes/1526583220391_merged.tiff FaxStatus with res_fax_digium.so Event: FaxStatus Privilege: call,all Channel: Local/1952253@from-internal-user-0001;1 FAX Session: 1 Operating Mode: FAX_TRANSMITTING Result: RSLT_IN_PROGRESS Error: NO_ERROR Call Duration: 12.088 ECM Mode: yes Data Rate: 14400 Image Resolution: 204x196 Image Encoding: ENC_MMR Page Size: LT Document Number: 1 Page Number: 1 File Name: '/tmp/faxes/1526583612555_merged.tiff' Tx Pages: 0 Tx Bytes: 512 Total Tx Lines: 0 Rx Pages: 0 Rx Bytes: 0 Total Rx Lines: 0 Total Bad Lines: 0 DIS/DCS/DTC/CTC Count: 2 CFR Count: 1 FTT Count: 0 MCF Count: 0 PPR Count: 0 RTN Count: 0 DCN Count: 0 Remote StationID: '952253 ' I am using options dfzs with the SendFAX application on Asterisk 11.6-cert18. Steven Wheeler -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP Codec negotiation
On Fri, May 11, 2018, at 10:36 AM, Steve Edwards wrote: So, Asterisk will defer it's choice of codec to match the codec it detects in the incoming stream? On Fri, 11 May 2018, Joshua Colp wrote: It depends on the channel driver and configuration. The chan_sip module always matching outgoing codec to the incoming codec. The chan_pjsip module has an option to do that (which is on by default). Is this why I see occasional notices in my log file like: Dropping incompatible voice frame on SIP/xxx of format ulaw since our native format has changed to (gsm) -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST https://www.linkedin.com/in/steve-edwards-4244281 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Decoding SIP register hack
On 05/17/2018 11:38 AM, Frank Vanoni wrote: On Thu, 2018-05-17 at 11:18 -0400, sean darcy wrote: 3. How do I set up the server to block these ? 4. Can I stop the retransmitting of the 401 Unauthorized packets ? I'm happy with Fail2Ban protecting my Asterisk 13. Here is my configuration: in /etc/asterisk/logger.conf: messages => security,notice,warning,error in /etc/asterisk/sip.conf: allowguest=yes context=unauthenticated in /etc/asterisk/extensions.conf: [unauthenticated] ;; Incomming calls from unauthenticated caller -> Fail2Ban exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) exten => _X.,3,HangUp() exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) exten => _+X.,3,HangUp() in /etc/fail2ban/jail.conf: [asterisk] filter = asterisk action = iptables-allports[name=ASTERISK] logpath = /var/log/asterisk/messages maxretry = 1 findtime = 86400 bantime = 518400 enabled = true in /etc/fail2ban/filter.d # Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for ':.*' - Wrong password NOTICE.* .*: Call from '.*' \((:[0-9]{1,5})?\) to extension '.*' rejected because extension not found in context 'unauthenticated' NOTICE.* chan_sip.c: Call from '.*' \((:[0- 9]{1,5})?\) to extension '.*' rejected because extension not found in context 'unauthenticated' NOTICE.* .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for ':.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for ':.*' - Not a local domain NOTICE.* .*: Registration from '.*' failed for ':.*' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for ':.*' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for ':.*' - Device not configured to use this transport type NOTICE.* .*: No registration for peer '.*' \(from \) NOTICE.* .*: Host failed MD5 authentication for '.*' \(.*\) NOTICE.* .*: Host denied access to register peer '.*' NOTICE.* .*: Host did not provide proper plaintext password for '.*' NOTICE.* .*: Registration of '.*' rejected: '.*' from: '' NOTICE.* .*: Peer '.*' is not dynamic (from ) NOTICE.* .*: Host denied access to register peer '.*' SECURITY.* .*: SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem oteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+" SECURITY.* .*: SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr ess="IPV[46]/(UDP|TCP|TLS)//[0-9]+" SECURITY.* .*: SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo teAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+" SECURITY.* .*: SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP ".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+" VERBOSE.* logger.c: -- .*IP/-.* Playing 'ss- noservice' \(language '.*'\) SECURITY.* .*: SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP". *,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL S)//[0-9]+ WARNING.* .*: fail2ban='' # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = Thanks. Very useful as a tutorial for fail2ban. But I don't think it covers this SIP hack. This guy isn't trying to register. That why I find it puzzling. What is he trying to do ? sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Decoding SIP register hack
On Thu, 2018-05-17 at 11:18 -0400, sean darcy wrote: > 3. How do I set up the server to block these ? > > 4. Can I stop the retransmitting of the 401 Unauthorized packets ? I'm happy with Fail2Ban protecting my Asterisk 13. Here is my configuration: in /etc/asterisk/logger.conf: messages => security,notice,warning,error in /etc/asterisk/sip.conf: allowguest=yes context=unauthenticated in /etc/asterisk/extensions.conf: [unauthenticated] ;; Incomming calls from unauthenticated caller -> Fail2Ban exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) exten => _X.,3,HangUp() exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) exten => _+X.,3,HangUp() in /etc/fail2ban/jail.conf: [asterisk] filter = asterisk action = iptables-allports[name=ASTERISK] logpath = /var/log/asterisk/messages maxretry = 1 findtime = 86400 bantime = 518400 enabled = true in /etc/fail2ban/filter.d # Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for ':.*' - Wrong password NOTICE.* .*: Call from '.*' \((:[0-9]{1,5})?\) to extension '.*' rejected because extension not found in context 'unauthenticated' NOTICE.* chan_sip.c: Call from '.*' \((:[0- 9]{1,5})?\) to extension '.*' rejected because extension not found in context 'unauthenticated' NOTICE.* .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for ':.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for ':.*' - Not a local domain NOTICE.* .*: Registration from '.*' failed for ':.*' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for ':.*' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for ':.*' - Device not configured to use this transport type NOTICE.* .*: No registration for peer '.*' \(from \) NOTICE.* .*: Host failed MD5 authentication for '.*' \(.*\) NOTICE.* .*: Host denied access to register peer '.*' NOTICE.* .*: Host did not provide proper plaintext password for '.*' NOTICE.* .*: Registration of '.*' rejected: '.*' from: '' NOTICE.* .*: Peer '.*' is not dynamic (from ) NOTICE.* .*: Host denied access to register peer '.*' SECURITY.* .*: SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem oteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+" SECURITY.* .*: SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr ess="IPV[46]/(UDP|TCP|TLS)//[0-9]+" SECURITY.* .*: SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo teAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+" SECURITY.* .*: SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP ".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+" VERBOSE.* logger.c: -- .*IP/-.* Playing 'ss- noservice' \(language '.*'\) SECURITY.* .*: SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP". *,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL S)//[0-9]+ WARNING.* .*: fail2ban='' # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Decoding SIP register hack
I need some help understanding SIP dialog. Some actor is trying to access my server, but I can't figure out what he's trying to do ,or how. I'm getting a lot of these warnings. [May 17 10:08:08] WARNING[1532]: chan_sip.c:4068 retrans_pkt: Retransmission timeout reached on transmission _zIr9tDtBxeTVTY5F7z8kD7R.. for seqno 101 With SIP DEBUG I tracked the Call-ID to this INVITE : <--- SIP read from UDP:192.111.139.146:29281 ---> INVITE sip:+48223079992@67.80.191.250:5060 SIP/2.0 Via: SIP/2.0/UDP 100.149.241.68:5060;branch=z4hG4bK-966187-1---q9ft4HdLB4ZeBqs;rport=5060 Contact: ;+sip.instance="" Max-Forwards: 70 To: :5060> From: "Caller":5060>;tag=sXPNixD5Ui42V Call-ID: _zIr9tDtBxeTVTY5F7z8kD7R.. CSeq: 101 INVITE Content-Type: application/sdp Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO Supported: replaces User-Agent: GSM Allow-Events: hold, talk, conference Accept: application/sdp Content-Length: 771 v=0 o=CiscoSystemsSIP-IPPhone 18338 11953 IN IP4 100.149.241.68 s=SIP Call c=IN IP4 100.149.241.68 t=0 0 m=audio 2 RTP/AVP 0 8 18 101 a=rtpmap:3 gsm/8000 a=rtpmap:96 speex/8000 a=rtpmap:97 speex/8000 a=fmtp:97 mode=2 a=rtpmap:98 speex/8000 a=fmtp:98 mode=5 a=rtpmap:99 speex/8000 a=fmtp:99 mode=7 a=rtpmap:107 speex/32000 a=fmtp:107 mode=10 a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:108 ilbc/8000 a=rtpmap:113 g7231/8000 a=rtpmap:18 g729/8000 a=rtpmap:100 G726-16/8000 a=rtpmap:101 G726-24/8000 a=rtpmap:2 G726-32/8000 a=rtpmap:2 G726-32/8000 a=rtpmap:103 G726-40/8000 a=rtpmap:4 g723/8000 a=fmtp:18 annexb=no a=rtpmap:109 ilbc/8000 a=fmtp:109 mode=20 a=rtpmap:110 telephone-event/8000 a=fmtp:110 0-15 a=ptime:20 a=sendrecv <-> --- (15 headers 34 lines) --- Sending to 192.111.139.146:29281 (NAT) Sending to 192.111.139.146:29281 (NAT) Using INVITE request as basis request - _zIr9tDtBxeTVTY5F7z8kD7R.. No matching peer for '9353' from '192.111.139.146:29281' .. Which then generates a lot of transmissions showing Unauthorized: .. Retransmitting #10 (NAT) to 192.111.139.146:29281: SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 100.149.241.68:5060;branch=z4hG4bK-966187-1---q9ft4HdLB4ZeBqs;received=192.111.139.146;rport=29281 From: "Caller":5060>;tag=sXPNixD5Ui42V To: :5060>;tag=as1f60e6dd Call-ID: _zIr9tDtBxeTVTY5F7z8kD7R.. CSeq: 101 INVITE Server: Asterisk PBX 13.21.0-rc1 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home", nonce="0794806c" Content-Length: 0 1. What's this guy trying to do ? It looks like he's trying to generate a call from the server to a Polish number. Why bother ? 2. What's the role of the Via and the Contact line ? The 100.149.241.68 seems to be a cell phone. 100.128.0.0/9 is T-mobile. 3. How do I set up the server to block these ? 4. Can I stop the retransmitting of the 401 Unauthorized packets ? Any help appreciated. sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users