date:20180829

Re: [asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread Matthew Jordan

On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group 
wrote:

> Depending on log trolling (Asterisk security log) misses a lot, and also
> depends on the SIP/PJSIP folks to not change message structure (which has
> already happened numerous time).  If  you are comfortable hacking
> chan_sip.c you may prefer to get the same messages from the AMI.  It still
> misses a lot but that approach is better than nothing.
>
> Digium warns not to use fail2ban / log trolling as a security system:
> http://forums.asterisk.org/viewtopic.php?p=159984
>
>
>
That's some pretty old advice.

The rationale for *not* using general log messages with fail2ban still
stands: the general WARNING/NOTICE/etc. log messages are subject to change
between versions, and no one wants that to impact someone's security. So
you should not use those messages as input into fail2ban.

That rationale did lead to the 'security' event type in log messages.
Security Event Logging - as it is called - got added into Asterisk quite
some time ago. So long ago I'm really not sure which version. At a minimum,
Asterisk 11, but I'm pretty sure it was in 10 as well.

Documentation for it can be found here:

https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger

And here:

https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration

Note that this also fires off AMI events (and ARI events, IIRC).

If, for whatever reason, you do not get a SECURITY log message or a
corresponding event when something 'bad' happens, that would be worth some
additional discussion. If anything, the events can be a bit chatty...





> -Original Message-
> From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] On
> Behalf Of sean darcy
> Sent: Wednesday, August 29, 2018 6:33 PM
> To: asterisk-users@lists.digium.com
> Subject: Re: [asterisk-users] getting invites to rtp ports ??
>
> On 08/29/2018 11:59 AM, Telium Support Group wrote:
> > Block a single IP is the wrong approach (whack-a-mole).  You should
> consider a more comprehensive approach to securing your VoIP environment.
> Have a look at this wiki:
> >
> > https://www.voip-info.org/asterisk-security/
> >
> >
> >
> > -Original Message-
> > From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com]
> > On Behalf Of sean darcy
> > Sent: Wednesday, August 29, 2018 10:46 AM
> > To: asterisk-users@lists.digium.com
> > Subject: Re: [asterisk-users] getting invites to rtp ports ??
> >
> > On 08/29/2018 09:42 AM, Carlos Rojas wrote:
> >> Hi
> >>
> >> Probably somebody is trying to hack your system, you should block
> >> that ip on your firewall.
> >>
> >> Regards
> >>
> >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy  >> > wrote:
> >>
> >>  I'm getting invites to very high ports every 30 seconds from a
> >>  particular ip address:
> >>
> >>  Retransmitting #10 (NAT) to 5.199.133.128:52734
> >>  :
> >>  SIP/2.0 401 Unauthorized
> >>  Via: SIP/2.0/UDP
> >>  0.0.0.0:52734
> ;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
> >>  From:  >>  >;tag=1872048972
> >>  To:  >>  >;tag=as3a52e748
> >>  Call-ID: 1504207870-295758084-609228182
> >>  CSeq: 1 INVITE
> >>  ...
> >>  WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
> >>  1504207870-295758084-609228182...
> >>
> >>  I thought invites had to go to port 5060 or so. I don't understand
> >>  why somebody (let's assume a bad guy) is trying ports above 5.
> >>
> >>  sean
> >>
> >>
> >
> > Ok, so the high port is not the destination port but the source port.
> >
> > So I hacked the log warning in chan_sip.c on non-critical invites to
> show the source ip:
> >
> > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
> > %s.\n",
> > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> >
> > With that in the log, I'm now blocking the ip addresses.
> >
> > Thanks,
> > sean
> >
> >
> > --
> > _
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >
> > Astricon is coming up October 9-11!  Signup is available at:
> > https://www.asterisk.org/community/astricon-user-conference
> >
> > Check out the new Asterisk community forum at:
> > https://community.asterisk.org/
> >
>
> I agree. That's why I hacked chan_sip.c to get the addresses in the log.
>
> I'm surprised they're not in the log by default. I must be the only person
> who gets these "non-critical invites".
>
> sean
>
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Astricon is coming up October 9-11!  Signup is available at:
> https://www.asterisk.org/community/astricon-user-conference
>
> Check out the

Re: [asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread John Covici

OK, Thanks.  I have a couple of questions -- the line numbers do not
match exactly, so can you tell me a couple of lines before and after
the line in question?  Also, when will this be logged, if its only
during sip debug, I need to change it to log when I can see it more
readily.

Thanks.

On Wed, 29 Aug 2018 20:31:15 -0400,
sean darcy wrote:
> 
> On 08/29/2018 08:07 PM, John Covici wrote:
> > I wonder if I could have that patch, maybe I could add it to my
> > fail2ban regexp and if you have the correct regexp, I would apperciate
> > that as well.
> > 
> > Thanks.
> > 
> > On Wed, 29 Aug 2018 19:18:29 -0400,
> > Telium Support Group wrote:
> >> 
> >> Depending on log trolling (Asterisk security log) misses a lot, and also 
> >> depends on the SIP/PJSIP folks to not change message structure (which has 
> >> already happened numerous time).  If  you are comfortable hacking 
> >> chan_sip.c you may prefer to get the same messages from the AMI.  It still 
> >> misses a lot but that approach is better than nothing.
> >> 
> >> Digium warns not to use fail2ban / log trolling as a security system: 
> >> http://forums.asterisk.org/viewtopic.php?p=159984
> >> 
> >> 
> >> -Original Message-
> >> From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] On 
> >> Behalf Of sean darcy
> >> Sent: Wednesday, August 29, 2018 6:33 PM
> >> To: asterisk-users@lists.digium.com
> >> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> >> 
> >> On 08/29/2018 11:59 AM, Telium Support Group wrote:
> >>> Block a single IP is the wrong approach (whack-a-mole).  You should 
> >>> consider a more comprehensive approach to securing your VoIP environment. 
> >>>  Have a look at this wiki:
> >>> 
> >>> https://www.voip-info.org/asterisk-security/
> >>> 
> >>> 
> >>> 
> >>> -Original Message-
> >>> From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com]
> >>> On Behalf Of sean darcy
> >>> Sent: Wednesday, August 29, 2018 10:46 AM
> >>> To: asterisk-users@lists.digium.com
> >>> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> >>> 
> >>> On 08/29/2018 09:42 AM, Carlos Rojas wrote:
>  Hi
>  
>  Probably somebody is trying to hack your system, you should block
>  that ip on your firewall.
>  
>  Regards
>  
>  On Wed, Aug 29, 2018 at 9:34 AM, sean darcy   > wrote:
>  
>    I'm getting invites to very high ports every 30 seconds from a
>    particular ip address:
>  
>    Retransmitting #10 (NAT) to 5.199.133.128:52734
>    :
>    SIP/2.0 401 Unauthorized
>    Via: SIP/2.0/UDP
>    
>  0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
>    From:     >;tag=1872048972
>    To:     >;tag=as3a52e748
>    Call-ID: 1504207870-295758084-609228182
>    CSeq: 1 INVITE
>    ...
>    WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
>    1504207870-295758084-609228182...
>  
>    I thought invites had to go to port 5060 or so. I don't understand
>    why somebody (let's assume a bad guy) is trying ports above 5.
>  
>    sean
>  
>  
> >>> 
> >>> Ok, so the high port is not the destination port but the source port.
> >>> 
> >>> So I hacked the log warning in chan_sip.c on non-critical invites to show 
> >>> the source ip:
> >>> 
> >>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
> >>> %s.\n",
> >>> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> >>> 
> >>> With that in the log, I'm now blocking the ip addresses.
> >>> 
> >>> Thanks,
> >>> sean
> >>> 
> >>> 
> >>> --
> >>> _
> >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >>> 
> >>> Astricon is coming up October 9-11!  Signup is available at:
> >>> https://www.asterisk.org/community/astricon-user-conference
> >>> 
> >>> Check out the new Asterisk community forum at:
> >>> https://community.asterisk.org/
> >>> 
> >> 
> >> I agree. That's why I hacked chan_sip.c to get the addresses in the log.
> >> 
> >> I'm surprised they're not in the log by default. I must be the only person 
> >> who gets these "non-critical invites".
> >> 
> >> sean
> >> 
> >> 
> >> 
> >> --
> >> _
> >> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >> 
> >> Astricon is coming up October 9-11!  Signup is available at: 
> >> https://www.asterisk.org/community/astricon-user-conference
> >> 
> >> Check out the new Asterisk community forum at: 
> >> https://community.asterisk.org/
> >> 
> >> New to Asterisk? Start here:
> >>

Re: [asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread sean darcy


On 08/29/2018 08:07 PM, John Covici wrote:

I wonder if I could have that patch, maybe I could add it to my
fail2ban regexp and if you have the correct regexp, I would apperciate
that as well.

Thanks.

On Wed, 29 Aug 2018 19:18:29 -0400,
Telium Support Group wrote:


Depending on log trolling (Asterisk security log) misses a lot, and also 
depends on the SIP/PJSIP folks to not change message structure (which has 
already happened numerous time).  If  you are comfortable hacking chan_sip.c 
you may prefer to get the same messages from the AMI.  It still misses a lot 
but that approach is better than nothing.

Digium warns not to use fail2ban / log trolling as a security system: 
http://forums.asterisk.org/viewtopic.php?p=159984


-Original Message-
From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] On Behalf 
Of sean darcy
Sent: Wednesday, August 29, 2018 6:33 PM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] getting invites to rtp ports ??

On 08/29/2018 11:59 AM, Telium Support Group wrote:

Block a single IP is the wrong approach (whack-a-mole).  You should consider a 
more comprehensive approach to securing your VoIP environment.  Have a look at 
this wiki:

https://www.voip-info.org/asterisk-security/



-Original Message-
From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com]
On Behalf Of sean darcy
Sent: Wednesday, August 29, 2018 10:46 AM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] getting invites to rtp ports ??

On 08/29/2018 09:42 AM, Carlos Rojas wrote:

Hi

Probably somebody is trying to hack your system, you should block
that ip on your firewall.

Regards

On Wed, Aug 29, 2018 at 9:34 AM, sean darcy mailto:seandar...@gmail.com>> wrote:

  I'm getting invites to very high ports every 30 seconds from a
  particular ip address:

  Retransmitting #10 (NAT) to 5.199.133.128:52734
  :
  SIP/2.0 401 Unauthorized
  Via: SIP/2.0/UDP
  0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
  From: mailto:sip%3A37120116780191250@67.80.191.250>>;tag=1872048972
  To: mailto:sip%3A3712011972592181418@67.80.191.250>>;tag=as3a52e748
  Call-ID: 1504207870-295758084-609228182
  CSeq: 1 INVITE
  ...
  WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
  1504207870-295758084-609228182...

  I thought invites had to go to port 5060 or so. I don't understand
  why somebody (let's assume a bad guy) is trying ports above 5.

  sean




Ok, so the high port is not the destination port but the source port.

So I hacked the log warning in chan_sip.c on non-critical invites to show the 
source ip:

ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
%s.\n",
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));

With that in the log, I'm now blocking the ip addresses.

Thanks,
sean


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at:
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at:
https://community.asterisk.org/



I agree. That's why I hacked chan_sip.c to get the addresses in the log.

I'm surprised they're not in the log by default. I must be the only person who gets these 
"non-critical invites".

sean



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
   https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
   https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users




The patch, more accurately a hack, is in my second post above.

chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic invite 
trans from %s.\n", 
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));


The added second %s shows the ip address of the pkt owner.

I wouldn't submit it in a coding class !

sean

Re: [asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread John Covici

I wonder if I could have that patch, maybe I could add it to my
fail2ban regexp and if you have the correct regexp, I would apperciate
that as well.

Thanks.

On Wed, 29 Aug 2018 19:18:29 -0400,
Telium Support Group wrote:
> 
> Depending on log trolling (Asterisk security log) misses a lot, and also 
> depends on the SIP/PJSIP folks to not change message structure (which has 
> already happened numerous time).  If  you are comfortable hacking chan_sip.c 
> you may prefer to get the same messages from the AMI.  It still misses a lot 
> but that approach is better than nothing.
> 
> Digium warns not to use fail2ban / log trolling as a security system: 
> http://forums.asterisk.org/viewtopic.php?p=159984
> 
> 
> -Original Message-
> From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] On 
> Behalf Of sean darcy
> Sent: Wednesday, August 29, 2018 6:33 PM
> To: asterisk-users@lists.digium.com
> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> 
> On 08/29/2018 11:59 AM, Telium Support Group wrote:
> > Block a single IP is the wrong approach (whack-a-mole).  You should 
> > consider a more comprehensive approach to securing your VoIP environment.  
> > Have a look at this wiki:
> > 
> > https://www.voip-info.org/asterisk-security/
> > 
> > 
> > 
> > -Original Message-
> > From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] 
> > On Behalf Of sean darcy
> > Sent: Wednesday, August 29, 2018 10:46 AM
> > To: asterisk-users@lists.digium.com
> > Subject: Re: [asterisk-users] getting invites to rtp ports ??
> > 
> > On 08/29/2018 09:42 AM, Carlos Rojas wrote:
> >> Hi
> >>
> >> Probably somebody is trying to hack your system, you should block 
> >> that ip on your firewall.
> >>
> >> Regards
> >>
> >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy  >> > wrote:
> >>
> >>  I'm getting invites to very high ports every 30 seconds from a
> >>  particular ip address:
> >>
> >>  Retransmitting #10 (NAT) to 5.199.133.128:52734
> >>  :
> >>  SIP/2.0 401 Unauthorized
> >>  Via: SIP/2.0/UDP
> >>  
> >> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
> >>  From:  >>  >;tag=1872048972
> >>  To:  >>  >;tag=as3a52e748
> >>  Call-ID: 1504207870-295758084-609228182
> >>  CSeq: 1 INVITE
> >>  ...
> >>  WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
> >>  1504207870-295758084-609228182...
> >>
> >>  I thought invites had to go to port 5060 or so. I don't understand
> >>  why somebody (let's assume a bad guy) is trying ports above 5.
> >>
> >>  sean
> >>
> >>
> > 
> > Ok, so the high port is not the destination port but the source port.
> > 
> > So I hacked the log warning in chan_sip.c on non-critical invites to show 
> > the source ip:
> > 
> > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from 
> > %s.\n",
> > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> > 
> > With that in the log, I'm now blocking the ip addresses.
> > 
> > Thanks,
> > sean
> > 
> > 
> > --
> > _
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> > 
> > Astricon is coming up October 9-11!  Signup is available at: 
> > https://www.asterisk.org/community/astricon-user-conference
> > 
> > Check out the new Asterisk community forum at: 
> > https://community.asterisk.org/
> > 
> 
> I agree. That's why I hacked chan_sip.c to get the addresses in the log.
> 
> I'm surprised they're not in the log by default. I must be the only person 
> who gets these "non-critical invites".
> 
> sean
> 
> 
> 
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at: 
> https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> 
> -- 
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at: 
> https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at: https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>   https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:

Re: [asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread Telium Support Group

Depending on log trolling (Asterisk security log) misses a lot, and also 
depends on the SIP/PJSIP folks to not change message structure (which has 
already happened numerous time).  If  you are comfortable hacking chan_sip.c 
you may prefer to get the same messages from the AMI.  It still misses a lot 
but that approach is better than nothing.

Digium warns not to use fail2ban / log trolling as a security system: 
http://forums.asterisk.org/viewtopic.php?p=159984


-Original Message-
From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] On Behalf 
Of sean darcy
Sent: Wednesday, August 29, 2018 6:33 PM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] getting invites to rtp ports ??

On 08/29/2018 11:59 AM, Telium Support Group wrote:
> Block a single IP is the wrong approach (whack-a-mole).  You should consider 
> a more comprehensive approach to securing your VoIP environment.  Have a look 
> at this wiki:
> 
> https://www.voip-info.org/asterisk-security/
> 
> 
> 
> -Original Message-
> From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] 
> On Behalf Of sean darcy
> Sent: Wednesday, August 29, 2018 10:46 AM
> To: asterisk-users@lists.digium.com
> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> 
> On 08/29/2018 09:42 AM, Carlos Rojas wrote:
>> Hi
>>
>> Probably somebody is trying to hack your system, you should block 
>> that ip on your firewall.
>>
>> Regards
>>
>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy > > wrote:
>>
>>  I'm getting invites to very high ports every 30 seconds from a
>>  particular ip address:
>>
>>  Retransmitting #10 (NAT) to 5.199.133.128:52734
>>  :
>>  SIP/2.0 401 Unauthorized
>>  Via: SIP/2.0/UDP
>>  
>> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
>>  From: >  >;tag=1872048972
>>  To: >  >;tag=as3a52e748
>>  Call-ID: 1504207870-295758084-609228182
>>  CSeq: 1 INVITE
>>  ...
>>  WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
>>  1504207870-295758084-609228182...
>>
>>  I thought invites had to go to port 5060 or so. I don't understand
>>  why somebody (let's assume a bad guy) is trying ports above 5.
>>
>>  sean
>>
>>
> 
> Ok, so the high port is not the destination port but the source port.
> 
> So I hacked the log warning in chan_sip.c on non-critical invites to show the 
> source ip:
> 
> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from 
> %s.\n",
> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> 
> With that in the log, I'm now blocking the ip addresses.
> 
> Thanks,
> sean
> 
> 
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at: 
> https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at: 
> https://community.asterisk.org/
> 

I agree. That's why I hacked chan_sip.c to get the addresses in the log.

I'm surprised they're not in the log by default. I must be the only person who 
gets these "non-critical invites".

sean



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread sean darcy


On 08/29/2018 11:59 AM, Telium Support Group wrote:

Block a single IP is the wrong approach (whack-a-mole).  You should consider a 
more comprehensive approach to securing your VoIP environment.  Have a look at 
this wiki:

https://www.voip-info.org/asterisk-security/



-Original Message-
From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] On Behalf 
Of sean darcy
Sent: Wednesday, August 29, 2018 10:46 AM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] getting invites to rtp ports ??

On 08/29/2018 09:42 AM, Carlos Rojas wrote:

Hi

Probably somebody is trying to hack your system, you should block that
ip on your firewall.

Regards

On Wed, Aug 29, 2018 at 9:34 AM, sean darcy mailto:seandar...@gmail.com>> wrote:

 I'm getting invites to very high ports every 30 seconds from a
 particular ip address:

 Retransmitting #10 (NAT) to 5.199.133.128:52734
 :
 SIP/2.0 401 Unauthorized
 Via: SIP/2.0/UDP
 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
 From: mailto:sip%3A37120116780191250@67.80.191.250>>;tag=1872048972
 To: mailto:sip%3A3712011972592181418@67.80.191.250>>;tag=as3a52e748
 Call-ID: 1504207870-295758084-609228182
 CSeq: 1 INVITE
 ...
 WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
 1504207870-295758084-609228182...

 I thought invites had to go to port 5060 or so. I don't understand
 why somebody (let's assume a bad guy) is trying ports above 5.

 sean




Ok, so the high port is not the destination port but the source port.

So I hacked the log warning in chan_sip.c on non-critical invites to show the 
source ip:

ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from %s.\n",
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));

With that in the log, I'm now blocking the ip addresses.

Thanks,
sean


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/



I agree. That's why I hacked chan_sip.c to get the addresses in the log.

I'm surprised they're not in the log by default. I must be the only 
person who gets these "non-critical invites".


sean



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] 401 unauthorized

2018-08-29 Thread Daniel Tryba

On Wed, Aug 29, 2018 at 11:37:34AM -0400, Jerry Geis wrote:
> I have a connection to a cisco all manager SIP trunk. The first call coming
> across CCM to the asterisk server works fine... Then when I do a second
> call from CCM to asterisk  I am getting a SIP 401 unauthorized.
> 
> My definition is simple.
> [CCM]
[no secret]
> 
> This is asterisk 13.19.0
> 
> What is wrong? Thanks

The reason why the CM is asking for authentication is outside the scope
of asterisk, debug the CM. Since you have no secret set for the user,
asterisk will never try to respond to a challenge. Asterisk and CM can
work together, asterisk is very forgiving, CM is not. The last time I
had to figure out what the fromuser and fromdomain should be (the CM admins
were clueless about providing those facts) and there was some
throtteling mechanism that when triggered would deny any SIP messages.

Good luck.

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] feeling n00b again

2018-08-29 Thread asterisk


Thanks John

I'll try tonight with avpf=no, and see what will happen

Hans

On 2018-08-28 18:28, John Kiniston wrote:

It's a configuration issue with the peer (or the peer it's matching)
in sip.conf

You have configured the peer to use avpf but your phone is not
attempting to do avpf.

Either configure the phone to match the entry in sip.conf or change
sip.conf to match the phone.

On Mon, Aug 27, 2018 at 4:56 PM  wrote:


Retrying, falling of the list some how :-(

 Original Message 
Subject: feeling n00b again
Date: 2018-08-20 09:51
From: aster...@a-domani.nl
To: asterisk-users@lists.digium.com

Hi all,

Long time ago, I followed a Asterisk training, and both at work and
at
home, was able to deploy Asterisk,
make all sorts of internal call (hard/soft voip-phones,
incoming/outgoing, ISDN-BA/PRA, SIP, IAX2, ata's, realtime,
voicemail,
load-balancing crypto; almost anything.
But the days of the 1.2-release is long gone.

Now, I'm trying to pick it up again, but even the most simple config

seems to fail.
Hardly anything seems to works.

Situation:
Asterisk 15.2.2 on a x86_64 running Linux on 2018-03-06 15:11:19 UTC
phone1: Grandsteam2000
phone2: Siemens DECT
phone are all on same subnet (no nat involved here)

1) Echo functionality on phone 1: OK (using alaw codec)
2) Echo functionality on phone 2: OK (using alaw codec)
3) Call from  phone2 to phone1: OK (both using alaw)
4) Call from phone1 to phone2: immediate disconnect after answering
(might not be related) console says:

[Aug 20 09:19:57] WARNING[7080][C-011f]: chan_sip.c:10434
process_sdp: Received AVP profile in audio answer but AVPF is
enabled:
audio 7200 RTP/AVP 8 101
[Aug 20 09:19:57] WARNING[7080][C-011f]: chan_sip.c:10819
process_sdp: Failing due to no acceptable offer found

I enabled debug on the IP of the dect-phone (full log attached), but
it
does not make me any wiser...

set_destination: Parsing  for
address/port
to send to
set_destination: set destination to 192.168.0.27:5060 [2]
Reliably Transmitting (no NAT) to 192.168.0.27:5060 [2]:
BYE sip:dect@192.168.0.27:5060 [1] SIP/2.0
Via: SIP/2.0/UDP 192.168.0.25:5060;branch=z9hG4bK239cc5d8
Max-Forwards: 70
From: "fam-witvliet eerste verdiep"
;tag=as112dbb55
To: ;tag=1813732733
Call-ID: 78d92db820b4926879361f7d4968444a@192.168.0.25:5060 [3]
CSeq: 103 BYE
User-Agent: Asterisk PBX 15.2.2
===> X-Asterisk-HangupCause: Bearer capability not available
<===
===> X-Asterisk-HangupCauseCode: 58
<===
Content-Length: 0

Anyone around to give some pointers/clues?--


_

-- Bandwidth and Colocation Provided by http://www.api-digital.com
--

Astricon is coming up October 9-11!  Signup is available at:
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at:
https://community.asterisk.org/

New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users


--
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
---Heinlein

Links:
--
[1] http://sip:dect@192.168.0.27:5060
[2] http://192.168.0.27:5060
[3] http://78d92db820b4926879361f7d4968444a@192.168.0.25:5060


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread Telium Support Group

Block a single IP is the wrong approach (whack-a-mole).  You should consider a 
more comprehensive approach to securing your VoIP environment.  Have a look at 
this wiki:

https://www.voip-info.org/asterisk-security/



-Original Message-
From: asterisk-users [mailto:asterisk-users-boun...@lists.digium.com] On Behalf 
Of sean darcy
Sent: Wednesday, August 29, 2018 10:46 AM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] getting invites to rtp ports ??

On 08/29/2018 09:42 AM, Carlos Rojas wrote:
> Hi
> 
> Probably somebody is trying to hack your system, you should block that 
> ip on your firewall.
> 
> Regards
> 
> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy  > wrote:
> 
> I'm getting invites to very high ports every 30 seconds from a
> particular ip address:
> 
> Retransmitting #10 (NAT) to 5.199.133.128:52734
> :
> SIP/2.0 401 Unauthorized
> Via: SIP/2.0/UDP
> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
> From:  >;tag=1872048972
> To:  >;tag=as3a52e748
> Call-ID: 1504207870-295758084-609228182
> CSeq: 1 INVITE
> ...
> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
> 1504207870-295758084-609228182...
> 
> I thought invites had to go to port 5060 or so. I don't understand
> why somebody (let's assume a bad guy) is trying ports above 5.
> 
> sean
> 
> 

Ok, so the high port is not the destination port but the source port.

So I hacked the log warning in chan_sip.c on non-critical invites to show the 
source ip:

ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from %s.\n", 
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));

With that in the log, I'm now blocking the ip addresses.

Thanks,
sean


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] 401 unauthorized

2018-08-29 Thread Jerry Geis

hi

I have a connection to a cisco all manager SIP trunk. The first call coming
across CCM to the asterisk server works fine... Then when I do a second
call from CCM to asterisk  I am getting a SIP 401 unauthorized.

My definition is simple.
[CCM]
type=friend
dtmfmode=rfc2833
username=CCM
defaultuser=CCM
disallow=all
allow=ulaw
allow=alaw
context=smvoice-incoming
host=X.X.X.X
canreinvite=yes
qualify=yes

This is asterisk 13.19.0

What is wrong? Thanks

Jerry
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread sean darcy


On 08/29/2018 09:42 AM, Carlos Rojas wrote:

Hi

Probably somebody is trying to hack your system, you should block that 
ip on your firewall.


Regards

On Wed, Aug 29, 2018 at 9:34 AM, sean darcy > wrote:


I'm getting invites to very high ports every 30 seconds from a
particular ip address:

Retransmitting #10 (NAT) to 5.199.133.128:52734
:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
From: mailto:sip%3A37120116780191250@67.80.191.250>>;tag=1872048972
To: mailto:sip%3A3712011972592181418@67.80.191.250>>;tag=as3a52e748
Call-ID: 1504207870-295758084-609228182
CSeq: 1 INVITE
...
WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
1504207870-295758084-609228182...

I thought invites had to go to port 5060 or so. I don't understand
why somebody (let's assume a bad guy) is trying ports above 5.

sean




Ok, so the high port is not the destination port but the source port.

So I hacked the log warning in chan_sip.c on non-critical invites to 
show the source ip:


ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from %s.\n", 
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));


With that in the log, I'm now blocking the ip addresses.

Thanks,
sean


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread Carlos Rojas

Hi

Probably somebody is trying to hack your system, you should block that ip
on your firewall.

Regards

On Wed, Aug 29, 2018 at 9:34 AM, sean darcy  wrote:

> I'm getting invites to very high ports every 30 seconds from a particular
> ip address:
>
> Retransmitting #10 (NAT) to 5.199.133.128:52734:
> SIP/2.0 401 Unauthorized
> Via: SIP/2.0/UDP 0.0.0.0:52734;branch=z9hG4bK12
> 07255353;received=5.199.133.128;rport=52734
> From: ;tag=1872048972
> To: ;tag=as3a52e748
> Call-ID: 1504207870-295758084-609228182
> CSeq: 1 INVITE
> ...
> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
> 1504207870-295758084-609228182...
>
> I thought invites had to go to port 5060 or so. I don't understand why
> somebody (let's assume a bad guy) is trying ports above 5.
>
> sean
>
>
> --
> _
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Astricon is coming up October 9-11!  Signup is available at:
> https://www.asterisk.org/community/astricon-user-conference
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>  https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread Joshua Colp

On Wed, Aug 29, 2018, at 10:34 AM, sean darcy wrote:
> I'm getting invites to very high ports every 30 seconds from a 
> particular ip address:
> 
> Retransmitting #10 (NAT) to 5.199.133.128:52734:
> SIP/2.0 401 Unauthorized
> Via: SIP/2.0/UDP 
> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
> From: ;tag=1872048972
> To: ;tag=as3a52e748
> Call-ID: 1504207870-295758084-609228182
> CSeq: 1 INVITE
> ...
> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on 
> 1504207870-295758084-609228182...
> 
> I thought invites had to go to port 5060 or so. I don't understand why 
> somebody (let's assume a bad guy) is trying ports above 5.

There is nothing that explicitly states that it has to be 5060, and in the case 
of the above it's just a random source port.

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] getting invites to rtp ports ??

2018-08-29 Thread sean darcy

I'm getting invites to very high ports every 30 seconds from a 
particular ip address:


Retransmitting #10 (NAT) to 5.199.133.128:52734:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 
0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734

From: ;tag=1872048972
To: ;tag=as3a52e748
Call-ID: 1504207870-295758084-609228182
CSeq: 1 INVITE
...
WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on 
1504207870-295758084-609228182...


I thought invites had to go to port 5060 or so. I don't understand why 
somebody (let's assume a bad guy) is trying ports above 5.


sean


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at: 
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] getting invites to rtp ports ??

Re: [asterisk-users] getting invites to rtp ports ??

Re: [asterisk-users] getting invites to rtp ports ??

Re: [asterisk-users] getting invites to rtp ports ??

Re: [asterisk-users] getting invites to rtp ports ??

Re: [asterisk-users] getting invites to rtp ports ??

Re: [asterisk-users] 401 unauthorized

Re: [asterisk-users] feeling n00b again

Re: [asterisk-users] getting invites to rtp ports ??

[asterisk-users] 401 unauthorized

Re: [asterisk-users] getting invites to rtp ports ??

Re: [asterisk-users] getting invites to rtp ports ??

Re: [asterisk-users] getting invites to rtp ports ??

[asterisk-users] getting invites to rtp ports ??

14 matches

Site Navigation

Mail list logo

Footer information