asterisk users - Oct 2012 - How to log caller IP address in the CDR?

Hello

We had this situation:

Some bot-net did try to guess SIP logins and finally succeeded. The Asterisk 
Server was abused to call a large number of expensive destinations.

It is clear that the sip logins have been passed to various persons (probably 
posted on a forum somewhere inviting to do 'free calls').

Right after the affected password was changed, the message log shows which IP 
did try to make calls.
We also got a few snapshots of 'sip show channels' which show the ip
addresses
of active in call connections.
So basicly it is known, who abused the service. It was abused from multiple IP 
addresses at the same time.

Legal steps against the abusers have been taken, but to claim the costs of the 
damage they generated we would need to know exactly which calls originated 
from which IP address to put an exact sum of damage done by each of the 
abusers.

Well for this case it is too late now. But is there a way to get the IP 
Address of the SIP Client being logged in each CDR?

Kind regards

Benoit Panizzon

Benoit Panizzon wrote:
> Hello
Hola,

<snipped out parts, check archives for those who are curious>
> Well for this case it is too late now. But is there a way to get the IP
> Address of the SIP Client being logged in each CDR?
You can access the IP address of the received signaling traffic 
(provided it has not been spoofed) using ${CHANNEL(recvip)} in the 
dialplan. If the CDR module you are using supports storing custom 
variables you can do something like:

exten => _X.,1,Set(CDR(recvip)=${CHANNEL(recvip)})

To store this in the custom variable field 'recvip'.

If it does not you can store it in the userfield instead like:

exten => _X.,1,Set(CDR(userfield)=${CHANNEL(recvip)})

Cheers,

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at:  www.digium.com  & www.asterisk.org

On 10/05/2012 02:10 PM, Benoit Panizzon wrote:
> Hello
>
> We had this situation:
>
> Some bot-net did try to guess SIP logins and finally succeeded. The
Asterisk
> Server was abused to call a large number of expensive destinations.
I'm sorry to hear that. In the Asterisk source there is a doc that 
focuses on security. you might want to read that. Google should give you 
more information about Asterisk/SIP security. Also you may want to 
install something like fail2ban which prevents brute forcing by banning 
originating IP addresses after a few failed attempts.

Regards,
Patrick

On Fri, 2012-10-05 at 14:10 +0200, Benoit Panizzon
wrote:
> Hello
> 
> We had this situation:
> 
> Some bot-net did try to guess SIP logins and finally succeeded. The
Asterisk
> Server was abused to call a large number of expensive destinations.
> 
> It is clear that the sip logins have been passed to various persons
(probably
> posted on a forum somewhere inviting to do 'free calls').
> 
> Right after the affected password was changed, the message log shows which
IP
> did try to make calls.
> We also got a few snapshots of 'sip show channels' which show the
ip addresses
> of active in call connections.
> So basicly it is known, who abused the service. It was abused from multiple
IP
> addresses at the same time.
> 
> Legal steps against the abusers have been taken, but to claim the costs of
the
> damage they generated we would need to know exactly which calls originated 
> from which IP address to put an exact sum of damage done by each of the 
> abusers.
> 
> Well for this case it is too late now. But is there a way to get the IP 
> Address of the SIP Client being logged in each CDR?
> 
> Kind regards
> 
> Benoit Panizzon
> 
> --
Hi

Get info using function SIPCHANINFO
https://wiki.asterisk.org/wiki/display/AST/Function_SIPCHANINFO

Set it to CDR using CDR(userfield)

The above are for 1.8

Regards

Ish

-- 
Ishfaq Malik <ish at pack-net.co.uk>
Department: VOIP Support
Company: Packnet Limited
t: +44 (0)845 004 4994
f: +44 (0)161 660 9825
e: ish at pack-net.co.uk
w: http://www.pack-net.co.uk

Registered Address: PACKNET LIMITED, 2A ENTERPRISE HOUSE, LLOYD STREET
NORTH, MANCHESTER
SCIENCE PARK, MANCHESTER, M156SE
COMPANY REG NO. 04920552