I wonder if I could have that patch, maybe I could add it to my fail2ban regexp and if you have the correct regexp, I would apperciate that as well. Thanks. On Wed, 29 Aug 2018 19:18:29 -0400, Telium Support Group wrote:> > Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing. > > Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984 > > > -----Original Message----- > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy > Sent: Wednesday, August 29, 2018 6:33 PM > To: asterisk-users at lists.digium.com > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > On 08/29/2018 11:59 AM, Telium Support Group wrote: > > Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki: > > > > https://www.voip-info.org/asterisk-security/ > > > > > > > > -----Original Message----- > > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] > > On Behalf Of sean darcy > > Sent: Wednesday, August 29, 2018 10:46 AM > > To: asterisk-users at lists.digium.com > > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > > > On 08/29/2018 09:42 AM, Carlos Rojas wrote: > >> Hi > >> > >> Probably somebody is trying to hack your system, you should block > >> that ip on your firewall. > >> > >> Regards > >> > >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com > >> <mailto:seandarcy2 at gmail.com>> wrote: > >> > >> I'm getting invites to very high ports every 30 seconds from a > >> particular ip address: > >> > >> Retransmitting #10 (NAT) to 5.199.133.128:52734 > >> <http://5.199.133.128:52734>: > >> SIP/2.0 401 Unauthorized > >> Via: SIP/2.0/UDP > >> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > >> From: <sip:37120116780191250 at 67.80.191.250 > >> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 > >> To: <sip:3712011972592181418 at 67.80.191.250 > >> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 > >> Call-ID: 1504207870-295758084-609228182 > >> CSeq: 1 INVITE > >> ....... > >> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > >> 1504207870-295758084-609228182... > >> > >> I thought invites had to go to port 5060 or so. I don't understand > >> why somebody (let's assume a bad guy) is trying ports above 50000. > >> > >> sean > >> > >> > > > > Ok, so the high port is not the destination port but the source port. > > > > So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip: > > > > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > > %s.\n", > > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > > > > With that in the log, I'm now blocking the ip addresses. > > > > Thanks, > > sean > > > > > > -- > > _____________________________________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > Astricon is coming up October 9-11! Signup is available at: > > https://www.asterisk.org/community/astricon-user-conference > > > > Check out the new Asterisk community forum at: > > https://community.asterisk.org/ > > > > I agree. That's why I hacked chan_sip.c to get the addresses in the log. > > I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites". > > sean > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una covici at ccs.covici.com
On 08/29/2018 08:07 PM, John Covici wrote:> I wonder if I could have that patch, maybe I could add it to my > fail2ban regexp and if you have the correct regexp, I would apperciate > that as well. > > Thanks. > > On Wed, 29 Aug 2018 19:18:29 -0400, > Telium Support Group wrote: >> >> Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing. >> >> Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984 >> >> >> -----Original Message----- >> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy >> Sent: Wednesday, August 29, 2018 6:33 PM >> To: asterisk-users at lists.digium.com >> Subject: Re: [asterisk-users] getting invites to rtp ports ?? >> >> On 08/29/2018 11:59 AM, Telium Support Group wrote: >>> Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki: >>> >>> https://www.voip-info.org/asterisk-security/ >>> >>> >>> >>> -----Original Message----- >>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] >>> On Behalf Of sean darcy >>> Sent: Wednesday, August 29, 2018 10:46 AM >>> To: asterisk-users at lists.digium.com >>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? >>> >>> On 08/29/2018 09:42 AM, Carlos Rojas wrote: >>>> Hi >>>> >>>> Probably somebody is trying to hack your system, you should block >>>> that ip on your firewall. >>>> >>>> Regards >>>> >>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com >>>> <mailto:seandarcy2 at gmail.com>> wrote: >>>> >>>> I'm getting invites to very high ports every 30 seconds from a >>>> particular ip address: >>>> >>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 >>>> <http://5.199.133.128:52734>: >>>> SIP/2.0 401 Unauthorized >>>> Via: SIP/2.0/UDP >>>> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 >>>> From: <sip:37120116780191250 at 67.80.191.250 >>>> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 >>>> To: <sip:3712011972592181418 at 67.80.191.250 >>>> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 >>>> Call-ID: 1504207870-295758084-609228182 >>>> CSeq: 1 INVITE >>>> ....... >>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on >>>> 1504207870-295758084-609228182... >>>> >>>> I thought invites had to go to port 5060 or so. I don't understand >>>> why somebody (let's assume a bad guy) is trying ports above 50000. >>>> >>>> sean >>>> >>>> >>> >>> Ok, so the high port is not the destination port but the source port. >>> >>> So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip: >>> >>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from >>> %s.\n", >>> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); >>> >>> With that in the log, I'm now blocking the ip addresses. >>> >>> Thanks, >>> sean >>> >>> >>> -- >>> _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> >>> Astricon is coming up October 9-11! Signup is available at: >>> https://www.asterisk.org/community/astricon-user-conference >>> >>> Check out the new Asterisk community forum at: >>> https://community.asterisk.org/ >>> >> >> I agree. That's why I hacked chan_sip.c to get the addresses in the log. >> >> I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites". >> >> sean >> >> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference >> >> Check out the new Asterisk community forum at: https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference >> >> Check out the new Asterisk community forum at: https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >The patch, more accurately a hack, is in my second post above. chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from %s.\n", pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); The added second %s shows the ip address of the pkt owner. I wouldn't submit it in a coding class ! sean
OK, Thanks. I have a couple of questions -- the line numbers do not match exactly, so can you tell me a couple of lines before and after the line in question? Also, when will this be logged, if its only during sip debug, I need to change it to log when I can see it more readily. Thanks. On Wed, 29 Aug 2018 20:31:15 -0400, sean darcy wrote:> > On 08/29/2018 08:07 PM, John Covici wrote: > > I wonder if I could have that patch, maybe I could add it to my > > fail2ban regexp and if you have the correct regexp, I would apperciate > > that as well. > > > > Thanks. > > > > On Wed, 29 Aug 2018 19:18:29 -0400, > > Telium Support Group wrote: > >> > >> Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing. > >> > >> Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984 > >> > >> > >> -----Original Message----- > >> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy > >> Sent: Wednesday, August 29, 2018 6:33 PM > >> To: asterisk-users at lists.digium.com > >> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >> > >> On 08/29/2018 11:59 AM, Telium Support Group wrote: > >>> Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki: > >>> > >>> https://www.voip-info.org/asterisk-security/ > >>> > >>> > >>> > >>> -----Original Message----- > >>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] > >>> On Behalf Of sean darcy > >>> Sent: Wednesday, August 29, 2018 10:46 AM > >>> To: asterisk-users at lists.digium.com > >>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >>> > >>> On 08/29/2018 09:42 AM, Carlos Rojas wrote: > >>>> Hi > >>>> > >>>> Probably somebody is trying to hack your system, you should block > >>>> that ip on your firewall. > >>>> > >>>> Regards > >>>> > >>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com > >>>> <mailto:seandarcy2 at gmail.com>> wrote: > >>>> > >>>> I'm getting invites to very high ports every 30 seconds from a > >>>> particular ip address: > >>>> > >>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 > >>>> <http://5.199.133.128:52734>: > >>>> SIP/2.0 401 Unauthorized > >>>> Via: SIP/2.0/UDP > >>>> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > >>>> From: <sip:37120116780191250 at 67.80.191.250 > >>>> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 > >>>> To: <sip:3712011972592181418 at 67.80.191.250 > >>>> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 > >>>> Call-ID: 1504207870-295758084-609228182 > >>>> CSeq: 1 INVITE > >>>> ....... > >>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > >>>> 1504207870-295758084-609228182... > >>>> > >>>> I thought invites had to go to port 5060 or so. I don't understand > >>>> why somebody (let's assume a bad guy) is trying ports above 50000. > >>>> > >>>> sean > >>>> > >>>> > >>> > >>> Ok, so the high port is not the destination port but the source port. > >>> > >>> So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip: > >>> > >>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > >>> %s.\n", > >>> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > >>> > >>> With that in the log, I'm now blocking the ip addresses. > >>> > >>> Thanks, > >>> sean > >>> > >>> > >>> -- > >>> _____________________________________________________________________ > >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >>> > >>> Astricon is coming up October 9-11! Signup is available at: > >>> https://www.asterisk.org/community/astricon-user-conference > >>> > >>> Check out the new Asterisk community forum at: > >>> https://community.asterisk.org/ > >>> > >> > >> I agree. That's why I hacked chan_sip.c to get the addresses in the log. > >> > >> I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites". > >> > >> sean > >> > >> > >> > >> -- > >> _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >> > >> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > >> > >> Check out the new Asterisk community forum at: https://community.asterisk.org/ > >> > >> New to Asterisk? Start here: > >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > >> > >> -- > >> _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >> > >> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > >> > >> Check out the new Asterisk community forum at: https://community.asterisk.org/ > >> > >> New to Asterisk? Start here: > >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > > > The patch, more accurately a hack, is in my second post above. > > chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic > invite trans from %s.\n", > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > > The added second %s shows the ip address of the pkt owner. > > I wouldn't submit it in a coding class ! > > sean > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una covici at ccs.covici.com