Bug#706739: Asterisk do not log source IP for Fake auth rejection

Tzafrir Cohen tzafrir.cohen at xorcom.com
Sat May 4 22:47:13 UTC 2013


Hi,

On Sat, May 04, 2013 at 05:43:51AM +0200, Dominik Strnad wrote:
> Package: Asterisk
> Version: 1.6.2.9-2+squeeze10
> 
> As mentioned on Diginum forum:
> http://forums.digium.com/viewtopic.php?t=78988
> http://forums.digium.com/viewtopic.php?t=77070
> http://forums.asterisk.org/viewtopic.php?t=74947
> 
> Problem: Asterisk 1.6 do not log source IP address used for brute force attacks in some cases. Thus usage of Fail2ban or other tools is limited.
> 
> Details: When using alwaysauthreject=yes in sip.conf, then source IP of attacker is not logged when rejecting INVITES from not registered devices trying to authenticate at call beginning (only asterisk server IP itself is logged).
> 
> Solution: As Diginum will not solve this issue even this problem concerns a lot of users, I created small patch solving this it, allowing fail2ban correctly handling such brute force attacks.

Thanks,

> 
> Before patch:
> 
> [2013-04-28 19:33:01] NOTICE[32446] chan_sip.c: Sending fake auth rejection for device 1011<sip:1011 at 10.98.231.154:5060>;tag=3b82edc2
> 
> After patch:
> 
> [2013-05-04 05:10:07] NOTICE[10851] chan_sip.c: Sending fake auth rejection for device '303<sip:303 at 10.98.231.154:5060>;tag=d9210d45' to '94.23.59.135'

I have not tested it yet. At first glance, I like it. I agree that
breaking fail2ban is a major issue.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the Pkg-voip-maintainers mailing list