asterisk users - May 2018 - Decoding SIP register hack

On 05/17/2018 11:38 AM, Frank Vanoni wrote:
> On Thu, 2018-05-17 at 11:18 -0400, sean darcy wrote:
> 
>> 3. How do I set up the server to block these ?
>>
>> 4. Can I stop the retransmitting of the 401 Unauthorized packets ?
> 
> I'm happy with Fail2Ban protecting my Asterisk 13. Here is my
> configuration:
> 
> in /etc/asterisk/logger.conf:
> 
> messages => security,notice,warning,error
> 
> 
> in /etc/asterisk/sip.conf:
> 
> allowguest=yes
> context=unauthenticated
> 
> 
> in /etc/asterisk/extensions.conf:
> 
> [unauthenticated]
> ;; Incomming calls from unauthenticated caller -> Fail2Ban
> exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')
> exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
> exten => _X.,3,HangUp()
> 
> exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')
> exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
> exten => _+X.,3,HangUp()
> 
> 
> 
> in /etc/fail2ban/jail.conf:
> 
> [asterisk]
> filter???= asterisk
> action = iptables-allports[name=ASTERISK]
> logpath??= /var/log/asterisk/messages
> maxretry = 1
> findtime = 86400
> bantime??= 518400
> enabled = true
> 
> 
> in /etc/fail2ban/filter.d
> 
> # Fail2Ban configuration file
> #
> #
> # $Revision: 250 $
> #
> 
> [INCLUDES]
> 
> # Read common prefixes. If any customizations available -- read them
> from
> # common.local
> #before = common.conf
> 
> 
> [Definition]
> 
> #_daemon = asterisk
> 
> # Option:??failregex
> # Notes.:??regex to match the password failures messages in the
> logfile. The
> #??????????host must be matched by a group named "host". The tag
> "<HOST>" can
> #??????????be used for standard IP/hostname matching and is only an
> alias for
> #??????????(?:::f{4,6}:)?(?P<host>\S+)
> # Values:??TEXT
> #
> failregex =?	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Wrong password
> 		NOTICE.* .*: Call from '.*' \(<HOST>(:[0-9]{1,5})?\) to
> extension '.*' rejected because extension not found in context
> 'unauthenticated'
> 		NOTICE.* chan_sip.c: Call from '.*' \(<HOST>(:[0-
> 9]{1,5})?\) to extension '.*' rejected because extension not found
in
> context 'unauthenticated'
>  ????????	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Username/auth name mismatch
>  ????????	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - No matching peer found
>  ????????	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Not a local domain
>  ????????	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Peer is not supposed to register
>  ????????	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Device does not match ACL
>  ????????	NOTICE.* .*: Registration from '.*' failed for
> '<HOST>:.*' - Device not configured to use this transport
type
>  ????????	NOTICE.* .*: No registration for peer '.*' \(from
> <HOST>\)
>  ????????	NOTICE.* .*: Host <HOST> failed MD5 authentication for
> '.*' \(.*\)
>  ????????	NOTICE.* .*: Host <HOST> denied access to register peer
> '.*'
>  ????????	NOTICE.* .*: Host <HOST> did not provide proper
> plaintext password for '.*'
>  ????????	NOTICE.* .*: Registration of '.*' rejected: '.*'
from:
> '<HOST>'
>  ????????	NOTICE.* .*: Peer '.*' is not dynamic (from <HOST>)
>  ????????	NOTICE.* .*: Host <HOST> denied access to register peer
> '.*'
>  ????????	SECURITY.* .*:
>
SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem
> oteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
>  ????????	SECURITY.* .*:
>
SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr
> ess="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
>  ????????	SECURITY.* .*:
>
SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo
> teAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
>  ????????	SECURITY.* .*:
>
SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP
>
".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+"
> 		VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-
> noservice' \(language '.*'\)
> 		SECURITY.* .*:
>
SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP".
>
*,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL
> S)/<HOST>/[0-9]+
> 		WARNING.* .*: fail2ban='<HOST>'
> 
> # Option:??ignoreregex
> # Notes.:??regex to ignore. If this regex matches, the line is ignored.
> # Values:??TEXT
> #
> ignoreregex > 
> 
Thanks. Very useful as a tutorial for fail2ban.

But I don't think it covers this SIP hack. This guy isn't trying to 
register. That why I find it puzzling. What is he trying to do ?

sean

On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy
wrote:
> >		WARNING.* .*: fail2ban='<HOST>'
> >
> ># Option:??ignoreregex
> ># Notes.:??regex to ignore. If this regex matches, the line is ignored.
> ># Values:??TEXT
> >#
> >ignoreregex > >
> >
> Thanks. Very useful as a tutorial for fail2ban.
> 
> But I don't think it covers this SIP hack. This guy isn't trying to
> register.
His filter doesn't only trigger on REGISTERs, see the last line of the
matches and the context for guests (which logs the pattern of the last
line of the filter on an INVITE).
>  That why I find it puzzling. What is he trying to do ?
There are sip servers publicly reachable that will relay INVITEs, make
sure yours aren't. And there are only 2 kinds of operators of sip
server:
-those that have been the victim of toll fraud
-those that will be the victim of toll fraud

You can do nothing to stop this kind of traffic. The only thing you can
do is block it, either using only a whitelist (cumbersome) or generate a
blacklist with for example fail2ban or a more elaborate honeypot setup.
Or setup a proxy that will filter patterns you discover from 

BTW this is not a person, this is an automated script, running most
likely on compromised machines and sending spoofed ips. These scripts
care about generating a ring on a phone (again most an abuseable/hacked
account (or purchased with CC fraud)). If they find a server that does,
it will be targetted for all kind of fraud.

On Thu, 17 May 2018, Daniel Tryba wrote:
> You can do nothing to stop this kind of traffic. The only thing you can 
> do is block it, either using only a whitelist (cumbersome) or generate a 
> blacklist with for example fail2ban or a more elaborate honeypot setup. 
> Or setup a proxy that will filter patterns you discover from
Keep in mind that since this is UDP, source addresses can be spoofed so 
any automated solution will need a whitelist so you don't get tricked into 
blocking legitimate traffic.

And since you 'need a whitelist' why not just use that and block 
everything else?

A clever solution to a mobile user base is to use knockd to allow remote 
access.

-- 
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards       sedwards at sedwards.com      Voice: +1-760-468-3867 PST
             https://www.linkedin.com/in/steve-edwards-4244281

On 05/17/2018 04:47 PM, Daniel Tryba wrote:
> On Thu, May 17, 2018 at 12:27:17PM -0400, sean darcy wrote:
>>> 		WARNING.* .*: fail2ban='<HOST>'
>>>
>>> # Option:??ignoreregex
>>> # Notes.:??regex to ignore. If this regex matches, the line is
ignored.
>>> # Values:??TEXT
>>> #
>>> ignoreregex >>>
>>>
>> Thanks. Very useful as a tutorial for fail2ban.
>>
>> But I don't think it covers this SIP hack. This guy isn't
trying to
>> register.
> 
> His filter doesn't only trigger on REGISTERs, see the last line of the
> matches and the context for guests (which logs the pattern of the last
> line of the filter on an INVITE).
> 
I'm far from a regex expert, but I don't think that last line would 
capture anything in the invite. In fact, asterisk doesn't throw any 
WARNING at all for this INVITE.

I'm not sure, but I don't even see how you can get asterisk to log these
invites at all. There's no heading such as WARNING( or NOTICE, SECURITY, 
etc).
>>   That why I find it puzzling. What is he trying to do ?
> 
> There are sip servers publicly reachable that will relay INVITEs, make
> sure yours aren't. And there are only 2 kinds of operators of sip
> server:
> -those that have been the victim of toll fraud
> -those that will be the victim of toll fraud
> 
> You can do nothing to stop this kind of traffic. The only thing you can
> do is block it, either using only a whitelist (cumbersome) or generate a
> blacklist with for example fail2ban or a more elaborate honeypot setup.
> Or setup a proxy that will filter patterns you discover from
> 
> BTW this is not a person, this is an automated script, running most
> likely on compromised machines and sending spoofed ips. These scripts
> care about generating a ring on a phone (again most an abuseable/hacked
> account (or purchased with CC fraud)). If they find a server that does,
> it will be targetted for all kind of fraud.
> 
Very interesting.

sen