Warren Selby wrote:> Hello list,
>
> I've got a client who's weak sip passwords are being guessed by
remote
> entities who then connect to their server and use it to wardial large
> swaths of numbers. When they start receiving complaints, they call me
> and I add the ip address of the remote user to the iptables drop list.
>
> At the same time, my own personal asterisk server, using strong sip
> passwords, has seen connections from remote entities. I'm not sure
> how these passwords were guessed (or even if they were guessed), as
> they were at a minimum 10 characters long, not based on dictionary
> words, and used numbers, letters, and symbols.
>
> Is there some logging capability that allows me to see every IP
> address of every sip registration attempt, along with details about
> the sip reg attempt (I.e user name tried, success or failure, user
> agent, etc). I haven't found a way to do this yet, I'm hoping
I've
> just missed something simple?
>
> Thanks,
> Warren Selby
>
>
Here's a start for you, just run from cron once a day:
Lyle
#!/usr/bin/perl
$mess_log = "/home/asterisk/log/asterisk/messages";
$event_log = "/home/asterisk/log/asterisk/event_log";
$queue_log = "/home/asterisk/log/asterisk/queue_log";
$cdr_log = "/home/asterisk/log/asterisk/cdr-csv/Master.csv";
$vm_dir = "/home/asterisk/spool/asterisk/voicemail/default/";
$sendmail = "/usr/sbin/sendmail -t ";
$ast_log = "/home/asterisk/log/asterisk/messages";
open astlog, "< $ast_log" || die "Could not open Asterisk
logs\n";
open ast_mail, "| $sendmail";
print ast_mail "To: email1\n";
print ast_mail "From: root\n";
print ast_mail "Subject: Asterisk passwd fail log\n";
open ast_mail2, "| $sendmail";
print ast_mail2 "To: email1\n";
print ast_mail2 "From: root\n";
print ast_mail2 "Subject: Asterisk bad SIP number log\n";
while (<astlog>) {
chomp;
$ln = $_;
if (index($ln,"password") ne -1) {
print ast_mail $ln . "\n";
}
if (index($ln,"matching") ne -1) {
print ast_mail2 $ln . "\n";
}
}
close astlog;
close ast_mail;
close ast_mail2;