Re: [asterisk-users] Decoding SIP register hack

2018-05-17 Thread sean darcy 

On 05/17/2018 04:47 PM, Daniel Tryba wrote:

On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote:

WARNING.* .*: fail2ban=''

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =



Thanks. Very useful as a tutorial for fail2ban.

But I don't think it covers this SIP hack. This guy isn't trying to
register.


His filter doesn't only trigger on REGISTERs, see the last line of the
matches and the context for guests (which logs the pattern of the last
line of the filter on an INVITE).



I'm far from a regex expert, but I don't think that last line would 
capture anything in the invite. In fact, asterisk doesn't throw any 
WARNING at all for this INVITE.


I'm not sure, but I don't even see how you can get asterisk to log these 
invites at all. There's no heading such as WARNING( or NOTICE, SECURITY, 
etc).



  That why I find it puzzling. What is he trying to do ?


There are sip servers publicly reachable that will relay INVITEs, make
sure yours aren't. And there are only 2 kinds of operators of sip
server:
-those that have been the victim of toll fraud
-those that will be the victim of toll fraud

You can do nothing to stop this kind of traffic. The only thing you can
do is block it, either using only a whitelist (cumbersome) or generate a
blacklist with for example fail2ban or a more elaborate honeypot setup.
Or setup a proxy that will filter patterns you discover from

BTW this is not a person, this is an automated script, running most
likely on compromised machines and sending spoofed ips. These scripts
care about generating a ring on a phone (again most an abuseable/hacked
account (or purchased with CC fraud)). If they find a server that does,
it will be targetted for all kind of fraud.



Very interesting.

sen



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Decoding SIP register hack

2018-05-17 Thread Steve Edwards 

On Thu, 17 May 2018, Daniel Tryba wrote:

You can do nothing to stop this kind of traffic. The only thing you can 
do is block it, either using only a whitelist (cumbersome) or generate a 
blacklist with for example fail2ban or a more elaborate honeypot setup. 
Or setup a proxy that will filter patterns you discover from


Keep in mind that since this is UDP, source addresses can be spoofed so 
any automated solution will need a whitelist so you don't get tricked into 
blocking legitimate traffic.


And since you 'need a whitelist' why not just use that and block 
everything else?


A clever solution to a mobile user base is to use knockd to allow remote 
access.


--
Thanks in advance,
-
Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
https://www.linkedin.com/in/steve-edwards-4244281

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Decoding SIP register hack

2018-05-17 Thread Daniel Tryba 
On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote:
> > WARNING.* .*: fail2ban=''
> >
> ># Option:  ignoreregex
> ># Notes.:  regex to ignore. If this regex matches, the line is ignored.
> ># Values:  TEXT
> >#
> >ignoreregex =
> >
> >
> Thanks. Very useful as a tutorial for fail2ban.
> 
> But I don't think it covers this SIP hack. This guy isn't trying to
> register.

His filter doesn't only trigger on REGISTERs, see the last line of the
matches and the context for guests (which logs the pattern of the last
line of the filter on an INVITE).

>  That why I find it puzzling. What is he trying to do ?

There are sip servers publicly reachable that will relay INVITEs, make
sure yours aren't. And there are only 2 kinds of operators of sip
server:
-those that have been the victim of toll fraud
-those that will be the victim of toll fraud

You can do nothing to stop this kind of traffic. The only thing you can
do is block it, either using only a whitelist (cumbersome) or generate a
blacklist with for example fail2ban or a more elaborate honeypot setup.
Or setup a proxy that will filter patterns you discover from 

BTW this is not a person, this is an automated script, running most
likely on compromised machines and sending spoofed ips. These scripts
care about generating a ring on a phone (again most an abuseable/hacked
account (or purchased with CC fraud)). If they find a server that does,
it will be targetted for all kind of fraud.

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] AMI status events with res_fax_spandsp.so

2018-05-17 Thread Steven Wheeler 
Is anyone else using the AMI with res_fax_spandsp.so for real-time status?

I am working on migrating a FAX application from res_fax_digium.so to 
res_fax_spandsp.so. I have noticed that the spandsp module generates far fewer 
AMI status events than the Digium module and the generated events contain less 
information. For example when sending a fax there is no longer an event for 
every page. There are just a few FaxStatus events at the beginning and a couple 
at the end but they don’t contain many details. I can pull the required 
information from the Asterisk console by running  fax show session  but 
that output isn’t suitable for parsing.

There doesn’t seem to be a great deal of information about res_fax_spandsp.so 
via Google.

FaxStatus with res_fax_spandsp.so
Event: FAXStatus
Privilege: call,all
Operation: send
Status: FAX Transmission In Progress
Channel: Local/1952253@from-internal-user-0001;1
Context: send_fax
Exten: s
CallerID: 1763210
LocalStationID: 1763210
FileName: /tmp/faxes/1526583220391_merged.tiff

FaxStatus with res_fax_digium.so
Event: FaxStatus
Privilege: call,all
Channel: Local/1952253@from-internal-user-0001;1
FAX Session: 1
Operating Mode: FAX_TRANSMITTING
Result: RSLT_IN_PROGRESS
Error: NO_ERROR
Call Duration: 12.088
ECM Mode: yes
Data Rate: 14400
Image Resolution: 204x196
Image Encoding: ENC_MMR
Page Size: LT
Document Number: 1
Page Number: 1
File Name: '/tmp/faxes/1526583612555_merged.tiff'
Tx Pages: 0
Tx Bytes: 512
Total Tx Lines: 0
Rx Pages: 0
Rx Bytes: 0
Total Rx Lines: 0
Total Bad Lines: 0
DIS/DCS/DTC/CTC Count: 2
CFR Count: 1
FTT Count: 0
MCF Count: 0
PPR Count: 0
RTN Count: 0
DCN Count: 0
Remote StationID: '952253  '

I am using options dfzs with the SendFAX application on Asterisk 11.6-cert18.

Steven Wheeler
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] SIP Codec negotiation

2018-05-17 Thread Steve Edwards 

On Fri, May 11, 2018, at 10:36 AM, Steve Edwards wrote:


So, Asterisk will defer it's choice of codec to match the codec it detects
in the incoming stream?


On Fri, 11 May 2018, Joshua Colp wrote:


It depends on the channel driver and configuration. The chan_sip module 
always matching outgoing codec to the incoming codec. The chan_pjsip 
module has an option to do that (which is on by default).


Is this why I see occasional notices in my log file like:

Dropping incompatible voice frame on SIP/xxx of format ulaw since our 
native format has changed to (gsm)


--
Thanks in advance,
-
Steve Edwards   sedwa...@sedwards.com  Voice: +1-760-468-3867 PST
https://www.linkedin.com/in/steve-edwards-4244281

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Decoding SIP register hack

2018-05-17 Thread sean darcy 

On 05/17/2018 11:38 AM, Frank Vanoni wrote:

On Thu, 2018-05-17 at 11:18 -0400, sean darcy wrote:


3. How do I set up the server to block these ?

4. Can I stop the retransmitting of the 401 Unauthorized packets ?


I'm happy with Fail2Ban protecting my Asterisk 13. Here is my
configuration:

in /etc/asterisk/logger.conf:

messages => security,notice,warning,error


in /etc/asterisk/sip.conf:

allowguest=yes
context=unauthenticated


in /etc/asterisk/extensions.conf:

[unauthenticated]
;; Incomming calls from unauthenticated caller -> Fail2Ban
exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')
exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _X.,3,HangUp()

exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')
exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _+X.,3,HangUp()



in /etc/fail2ban/jail.conf:

[asterisk]
filter   = asterisk
action = iptables-allports[name=ASTERISK]
logpath  = /var/log/asterisk/messages
maxretry = 1
findtime = 86400
bantime  = 518400
enabled = true


in /etc/fail2ban/filter.d

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them
from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the
logfile. The
#  host must be matched by a group named "host". The tag
"" can
#  be used for standard IP/hostname matching and is only an
alias for
#  (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for
':.*' - Wrong password
NOTICE.* .*: Call from '.*' \((:[0-9]{1,5})?\) to
extension '.*' rejected because extension not found in context
'unauthenticated'
NOTICE.* chan_sip.c: Call from '.*' \((:[0-
9]{1,5})?\) to extension '.*' rejected because extension not found in
context 'unauthenticated'
    NOTICE.* .*: Registration from '.*' failed for
':.*' - Username/auth name mismatch
    NOTICE.* .*: Registration from '.*' failed for
':.*' - No matching peer found
    NOTICE.* .*: Registration from '.*' failed for
':.*' - Not a local domain
    NOTICE.* .*: Registration from '.*' failed for
':.*' - Peer is not supposed to register
    NOTICE.* .*: Registration from '.*' failed for
':.*' - Device does not match ACL
    NOTICE.* .*: Registration from '.*' failed for
':.*' - Device not configured to use this transport type
    NOTICE.* .*: No registration for peer '.*' \(from
\)
    NOTICE.* .*: Host  failed MD5 authentication for
'.*' \(.*\)
    NOTICE.* .*: Host  denied access to register peer
'.*'
    NOTICE.* .*: Host  did not provide proper
plaintext password for '.*'
    NOTICE.* .*: Registration of '.*' rejected: '.*' from:
''
    NOTICE.* .*: Peer '.*' is not dynamic (from )
    NOTICE.* .*: Host  denied access to register peer
'.*'
    SECURITY.* .*:
SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem
oteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
    SECURITY.* .*:
SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr
ess="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
    SECURITY.* .*:
SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo
teAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
    SECURITY.* .*:
SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP
".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
VERBOSE.* logger.c: -- .*IP/-.* Playing 'ss-
noservice' \(language '.*'\)
SECURITY.* .*:
SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP".
*,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL
S)//[0-9]+
WARNING.* .*: fail2ban=''

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =



Thanks. Very useful as a tutorial for fail2ban.

But I don't think it covers this SIP hack. This guy isn't trying to 
register. That why I find it puzzling. What is he trying to do ?


sean


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] Decoding SIP register hack

2018-05-17 Thread Frank Vanoni 
On Thu, 2018-05-17 at 11:18 -0400, sean darcy wrote:

> 3. How do I set up the server to block these ?
> 
> 4. Can I stop the retransmitting of the 401 Unauthorized packets ?

I'm happy with Fail2Ban protecting my Asterisk 13. Here is my
configuration:

in /etc/asterisk/logger.conf:

messages => security,notice,warning,error


in /etc/asterisk/sip.conf:

allowguest=yes
context=unauthenticated


in /etc/asterisk/extensions.conf:

[unauthenticated]
;; Incomming calls from unauthenticated caller -> Fail2Ban
exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') 
exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _X.,3,HangUp()

exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') 
exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _+X.,3,HangUp()



in /etc/fail2ban/jail.conf:

[asterisk]
filter   = asterisk
action = iptables-allports[name=ASTERISK]
logpath  = /var/log/asterisk/messages
maxretry = 1
findtime = 86400
bantime  = 518400
enabled = true


in /etc/fail2ban/filter.d

# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them
from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the
logfile. The
#  host must be matched by a group named "host". The tag
"" can
#  be used for standard IP/hostname matching and is only an
alias for
#  (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#
failregex = NOTICE.* .*: Registration from '.*' failed for
':.*' - Wrong password
NOTICE.* .*: Call from '.*' \((:[0-9]{1,5})?\) to
extension '.*' rejected because extension not found in context
'unauthenticated'
NOTICE.* chan_sip.c: Call from '.*' \((:[0-
9]{1,5})?\) to extension '.*' rejected because extension not found in
context 'unauthenticated'
NOTICE.* .*: Registration from '.*' failed for
':.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for
':.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for
':.*' - Not a local domain
NOTICE.* .*: Registration from '.*' failed for
':.*' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for
':.*' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for
':.*' - Device not configured to use this transport type
NOTICE.* .*: No registration for peer '.*' \(from
\)
NOTICE.* .*: Host  failed MD5 authentication for
'.*' \(.*\)
NOTICE.* .*: Host  denied access to register peer
'.*'
NOTICE.* .*: Host  did not provide proper
plaintext password for '.*'
NOTICE.* .*: Registration of '.*' rejected: '.*' from:
''
NOTICE.* .*: Peer '.*' is not dynamic (from )
NOTICE.* .*: Host  denied access to register peer
'.*'
SECURITY.* .*:
SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem
oteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
SECURITY.* .*:
SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr
ess="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
SECURITY.* .*:
SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo
teAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
SECURITY.* .*:
SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP
".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+"
VERBOSE.* logger.c: -- .*IP/-.* Playing 'ss-
noservice' \(language '.*'\)
SECURITY.* .*:
SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP".
*,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL
S)//[0-9]+
WARNING.* .*: fail2ban=''

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Decoding SIP register hack

2018-05-17 Thread sean darcy 
I need some help understanding SIP dialog. Some actor is trying to 
access my server, but I can't figure out what he's trying to do ,or how.


I'm getting a lot of these warnings.

[May 17 10:08:08] WARNING[1532]: chan_sip.c:4068 retrans_pkt: 
Retransmission timeout reached on transmission 
_zIr9tDtBxeTVTY5F7z8kD7R.. for seqno 101


With SIP DEBUG I tracked the Call-ID to this INVITE :

<--- SIP read from UDP:192.111.139.146:29281 --->
INVITE sip:+48223079992@67.80.191.250:5060 SIP/2.0
Via: SIP/2.0/UDP 
100.149.241.68:5060;branch=z4hG4bK-966187-1---q9ft4HdLB4ZeBqs;rport=5060
Contact: 
;+sip.instance=""

Max-Forwards: 70
To: 
From: "Caller";tag=sXPNixD5Ui42V
Call-ID: _zIr9tDtBxeTVTY5F7z8kD7R..
CSeq: 101 INVITE
Content-Type: application/sdp
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, 
REGISTER, SUBSCRIBE, INFO

Supported: replaces
User-Agent: GSM
Allow-Events: hold, talk, conference
Accept: application/sdp
Content-Length: 771

v=0
o=CiscoSystemsSIP-IPPhone 18338 11953 IN IP4 100.149.241.68
s=SIP Call
c=IN IP4 100.149.241.68
t=0 0
m=audio 2 RTP/AVP 0 8 18 101
a=rtpmap:3 gsm/8000
a=rtpmap:96 speex/8000
a=rtpmap:97 speex/8000
a=fmtp:97 mode=2
a=rtpmap:98 speex/8000
a=fmtp:98 mode=5
a=rtpmap:99 speex/8000
a=fmtp:99 mode=7
a=rtpmap:107 speex/32000
a=fmtp:107 mode=10
a=rtpmap:0 pcmu/8000
a=rtpmap:8 pcma/8000
a=rtpmap:108 ilbc/8000
a=rtpmap:113 g7231/8000
a=rtpmap:18 g729/8000
a=rtpmap:100 G726-16/8000
a=rtpmap:101 G726-24/8000
a=rtpmap:2 G726-32/8000
a=rtpmap:2 G726-32/8000
a=rtpmap:103 G726-40/8000
a=rtpmap:4 g723/8000
a=fmtp:18 annexb=no
a=rtpmap:109 ilbc/8000
a=fmtp:109 mode=20
a=rtpmap:110 telephone-event/8000
a=fmtp:110 0-15
a=ptime:20
a=sendrecv
<->
--- (15 headers 34 lines) ---
Sending to 192.111.139.146:29281 (NAT)
Sending to 192.111.139.146:29281 (NAT)
Using INVITE request as basis request - _zIr9tDtBxeTVTY5F7z8kD7R..
No matching peer for '9353' from '192.111.139.146:29281'
..
Which then generates a lot of transmissions showing Unauthorized:
..
Retransmitting #10 (NAT) to 192.111.139.146:29281:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 
100.149.241.68:5060;branch=z4hG4bK-966187-1---q9ft4HdLB4ZeBqs;received=192.111.139.146;rport=29281

From: "Caller";tag=sXPNixD5Ui42V
To: ;tag=as1f60e6dd
Call-ID: _zIr9tDtBxeTVTY5F7z8kD7R..
CSeq: 101 INVITE
Server: Asterisk PBX 13.21.0-rc1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, 
INFO, PUBLISH, MESSAGE

Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home", 
nonce="0794806c"

Content-Length: 0


1. What's this guy trying to do ? It looks like he's trying to generate 
a call from the server to a Polish number. Why bother ?


2. What's the role of the Via and the Contact line ?  The 100.149.241.68 
seems to be a cell phone. 100.128.0.0/9 is T-mobile.


3. How do I set up the server to block these ?

4. Can I stop the retransmitting of the 401 Unauthorized packets ?

Any help appreciated.

sean


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users