Bug#781881: Improve security log on asterisk 1.8

Fernando Toledo ftoledo at pressenter.com.ar
Sat Apr 4 09:01:01 UTC 2015 

Package: asterisk
Version: 1:1.8.13.1~dfsg1-3+deb7u3
Tags: wheezy,security

I found this message on my asterisk log and begin research how to prevent this attack using fail2ban but this message do not have the remote ip

[Apr  4 04:18:56] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed to authenticate device 200<sip:200 at 186.137.96.109>;tag=54c80643
[Apr  4 04:22:21] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed to authenticate device 200<sip:200 at 186.137.96.109>;tag=5d4982ba
[Apr  4 04:35:06] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed to authenticate device 300<sip:300 at 186.137.96.109>;tag=0f0225aa
[Apr  4 04:36:58] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed to authenticate device 300<sip:300 at 186.137.96.109>;tag=82b0bd6e
[Apr  4 04:40:09] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed to authenticate device 300<sip:300 at 186.137.96.109>;tag=83fc8936
[Apr  4 04:43:11] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed to authenticate device 300<sip:300 at 186.137.96.109>;tag=2c1c50cf

many other messages has remote ip and make pissible to write a fail2ban filter to block this DoS just like this: 

[Apr  1 00:13:09] NOTICE[17938] chan_sip.c: Call from '' (108.161.136.44:5081) to extension '0015207200160' rejected because extension not found in context 'default'.


this patch solve the problem: 

--- a/channels/chan_sip.c	2015-04-04 05:20:01.458550294 -0300
+++ b/channels/chan_sip.c	2015-04-04 05:25:33.640466116 -0300
@@ -22650,7 +22650,7 @@ static int handle_request_invite(struct
 			goto request_invite_cleanup;
 		}
 		if (res < 0) { /* Something failed in authentication */
-			ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
+			ast_log(LOG_NOTICE, "Failed to authenticate device %s for '%s'\n", get_header(req, "From"), ast_sockaddr_stringify(addr));
 			transmit_response_reliable(p, "403 Forbidden", req);
 			p->invitestate = INV_COMPLETED;
 			sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);


--
Fernando Toledo
15 5515-3794
PressEnter Coop. Ltda.
http://www.pressenter.com.ar
tw: @PressEnterComAr

More information about the Pkg-voip-maintainers mailing list