On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <support at telium.ca> wrote:> Depending on log trolling (Asterisk security log) misses a lot, and also > depends on the SIP/PJSIP folks to not change message structure (which has > already happened numerous time). If you are comfortable hacking > chan_sip.c you may prefer to get the same messages from the AMI. It still > misses a lot but that approach is better than nothing. > > Digium warns not to use fail2ban / log trolling as a security system: > http://forums.asterisk.org/viewtopic.php?p=159984 > > >That's some pretty old advice. The rationale for *not* using general log messages with fail2ban still stands: the general WARNING/NOTICE/etc. log messages are subject to change between versions, and no one wants that to impact someone's security. So you should not use those messages as input into fail2ban. That rationale did lead to the 'security' event type in log messages. Security Event Logging - as it is called - got added into Asterisk quite some time ago. So long ago I'm really not sure which version. At a minimum, Asterisk 11, but I'm pretty sure it was in 10 as well. Documentation for it can be found here: https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger And here: https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration Note that this also fires off AMI events (and ARI events, IIRC). If, for whatever reason, you do not get a SECURITY log message or a corresponding event when something 'bad' happens, that would be worth some additional discussion. If anything, the events can be a bit chatty...> -----Original Message----- > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On > Behalf Of sean darcy > Sent: Wednesday, August 29, 2018 6:33 PM > To: asterisk-users at lists.digium.com > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > On 08/29/2018 11:59 AM, Telium Support Group wrote: > > Block a single IP is the wrong approach (whack-a-mole). You should > consider a more comprehensive approach to securing your VoIP environment. > Have a look at this wiki: > > > > https://www.voip-info.org/asterisk-security/ > > > > > > > > -----Original Message----- > > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] > > On Behalf Of sean darcy > > Sent: Wednesday, August 29, 2018 10:46 AM > > To: asterisk-users at lists.digium.com > > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > > > On 08/29/2018 09:42 AM, Carlos Rojas wrote: > >> Hi > >> > >> Probably somebody is trying to hack your system, you should block > >> that ip on your firewall. > >> > >> Regards > >> > >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com > >> <mailto:seandarcy2 at gmail.com>> wrote: > >> > >> I'm getting invites to very high ports every 30 seconds from a > >> particular ip address: > >> > >> Retransmitting #10 (NAT) to 5.199.133.128:52734 > >> <http://5.199.133.128:52734>: > >> SIP/2.0 401 Unauthorized > >> Via: SIP/2.0/UDP > >> 0.0.0.0:52734 > ;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > >> From: <sip:37120116780191250 at 67.80.191.250 > >> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 > >> To: <sip:3712011972592181418 at 67.80.191.250 > >> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 > >> Call-ID: 1504207870-295758084-609228182 > >> CSeq: 1 INVITE > >> ....... > >> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > >> 1504207870-295758084-609228182... > >> > >> I thought invites had to go to port 5060 or so. I don't understand > >> why somebody (let's assume a bad guy) is trying ports above 50000. > >> > >> sean > >> > >> > > > > Ok, so the high port is not the destination port but the source port. > > > > So I hacked the log warning in chan_sip.c on non-critical invites to > show the source ip: > > > > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > > %s.\n", > > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > > > > With that in the log, I'm now blocking the ip addresses. > > > > Thanks, > > sean > > > > > > -- > > _____________________________________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > Astricon is coming up October 9-11! Signup is available at: > > https://www.asterisk.org/community/astricon-user-conference > > > > Check out the new Asterisk community forum at: > > https://community.asterisk.org/ > > > > I agree. That's why I hacked chan_sip.c to get the addresses in the log. > > I'm surprised they're not in the log by default. I must be the only person > who gets these "non-critical invites". > > sean > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Matthew Jordan Digium, Inc. | CTO 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com & http://asterisk.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180829/162d6fa9/attachment.html>
I agree, but is it possible to try over and over with anything other than the challenge warning in the security log as sean suggested and put a patch for? On Wed, 29 Aug 2018 22:52:05 -0400, Matthew Jordan wrote:> > [1 <multipart/alternative (7bit)>] > [1.1 <text/plain; UTF-8 (7bit)>] > [1.2 <text/html; UTF-8 (quoted-printable)>] > On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <support at telium.ca> wrote: > > Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may > prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing. > > Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984 > > That's some pretty old advice. > > The rationale for *not* using general log messages with fail2ban still stands: the general WARNING/NOTICE/etc. log messages are subject to change between versions, and no one wants that to impact someone's security. So you should not use > those messages as input into fail2ban. > > That rationale did lead to the 'security' event type in log messages. Security Event Logging - as it is called - got added into Asterisk quite some time ago. So long ago I'm really not sure which version. At a minimum, Asterisk 11, but > I'm pretty sure it was in 10 as well. > > Documentation for it can be found here: > > https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger > > And here: > > https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration > > Note that this also fires off AMI events (and ARI events, IIRC). > > If, for whatever reason, you do not get a SECURITY log message or a corresponding event when something 'bad' happens, that would be worth some additional discussion. If anything, the events can be a bit chatty... > > > -----Original Message----- > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy > Sent: Wednesday, August 29, 2018 6:33 PM > To: asterisk-users at lists.digium.com > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > On 08/29/2018 11:59 AM, Telium Support Group wrote: > > Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki: > > > > https://www.voip-info.org/asterisk-security/ > > > > > > > > -----Original Message----- > > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] > > On Behalf Of sean darcy > > Sent: Wednesday, August 29, 2018 10:46 AM > > To: asterisk-users at lists.digium.com > > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > > > On 08/29/2018 09:42 AM, Carlos Rojas wrote: > >> Hi > >> > >> Probably somebody is trying to hack your system, you should block > >> that ip on your firewall. > >> > >> Regards > >> > >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com > >> <mailto:seandarcy2 at gmail.com>> wrote: > >> > >> I'm getting invites to very high ports every 30 seconds from a > >> particular ip address: > >> > >> Retransmitting #10 (NAT) to 5.199.133.128:52734 > >> <http://5.199.133.128:52734>: > >> SIP/2.0 401 Unauthorized > >> Via: SIP/2.0/UDP > >> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > >> From: <sip:37120116780191250 at 67.80.191.250 > >> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 > >> To: <sip:3712011972592181418 at 67.80.191.250 > >> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 > >> Call-ID: 1504207870-295758084-609228182 > >> CSeq: 1 INVITE > >> ....... > >> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > >> 1504207870-295758084-609228182... > >> > >> I thought invites had to go to port 5060 or so. I don't understand > >> why somebody (let's assume a bad guy) is trying ports above 50000. > >> > >> sean > >> > >> > > > > Ok, so the high port is not the destination port but the source port. > > > > So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip: > > > > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > > %s.\n", > > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > > > > With that in the log, I'm now blocking the ip addresses. > > > > Thanks, > > sean > > > > > > -- > > _____________________________________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > Astricon is coming up October 9-11! Signup is available at: > > https://www.asterisk.org/community/astricon-user-conference > > > > Check out the new Asterisk community forum at: > > https://community.asterisk.org/ > > > > I agree. That's why I hacked chan_sip.c to get the addresses in the log. > > I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites". > > sean > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > -- > Matthew Jordan > Digium, Inc. | CTO > 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA > Check us out at: http://digium.com & http://asterisk.org > [2 <text/plain; utf-8 (base64)>] > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una covici at ccs.covici.com
asterisk at a-domani.nl
2018-Aug-30 09:04 UTC
[asterisk-users] getting invites to rtp ports ??
Regarding this thread, I was wondering, why would anybody opens his firewall (for incoming traffic), for anybody else, besides his own SIP-provider? Isn't that the proper way for having your firewall configured: always, by default closed, unless explicitly required. (but perhaps I'm missing a legitimate use-case) Hans On 2018-08-30 04:52, Matthew Jordan wrote:> On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group > <support at telium.ca> wrote: > >> Depending on log trolling (Asterisk security log) misses a lot, and >> also depends on the SIP/PJSIP folks to not change message structure >> (which has already happened numerous time). If you are comfortable >> hacking chan_sip.c you may prefer to get the same messages from the >> AMI. It still misses a lot but that approach is better than >> nothing. >> >> Digium warns not to use fail2ban / log trolling as a security >> system: http://forums.asterisk.org/viewtopic.php?p=159984 > > That's some pretty old advice. > > The rationale for *not* using general log messages with fail2ban still > stands: the general WARNING/NOTICE/etc. log messages are subject to > change between versions, and no one wants that to impact someone's > security. So you should not use those messages as input into fail2ban. > > That rationale did lead to the 'security' event type in log messages. > Security Event Logging - as it is called - got added into Asterisk > quite some time ago. So long ago I'm really not sure which version. At > a minimum, Asterisk 11, but I'm pretty sure it was in 10 as well. > > Documentation for it can be found here: > > https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger > > And here: > > https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration > > Note that this also fires off AMI events (and ARI events, IIRC). > > If, for whatever reason, you do not get a SECURITY log message or a > corresponding event when something 'bad' happens, that would be worth > some additional discussion. If anything, the events can be a bit > chatty... > >> -----Original Message----- >> From: asterisk-users >> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean >> darcy >> Sent: Wednesday, August 29, 2018 6:33 PM >> To: asterisk-users at lists.digium.com >> Subject: Re: [asterisk-users] getting invites to rtp ports ?? >> >> On 08/29/2018 11:59 AM, Telium Support Group wrote: >>> Block a single IP is the wrong approach (whack-a-mole). You >> should consider a more comprehensive approach to securing your VoIP >> environment. Have a look at this wiki: >>> >>> https://www.voip-info.org/asterisk-security/ >>> >>> >>> >>> -----Original Message----- >>> From: asterisk-users >> [mailto:asterisk-users-bounces at lists.digium.com] >>> On Behalf Of sean darcy >>> Sent: Wednesday, August 29, 2018 10:46 AM >>> To: asterisk-users at lists.digium.com >>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? >>> >>> On 08/29/2018 09:42 AM, Carlos Rojas wrote: >>>> Hi >>>> >>>> Probably somebody is trying to hack your system, you should block >> >>>> that ip on your firewall. >>>> >>>> Regards >>>> >>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com >> >>>> <mailto:seandarcy2 at gmail.com>> wrote: >>>> >>>> I'm getting invites to very high ports every 30 seconds from >> a >>>> particular ip address: >>>> >>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 [1] >>>> <http://5.199.133.128:52734>: >>>> SIP/2.0 401 Unauthorized >>>> Via: SIP/2.0/UDP >>>> >> > 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 >>>> From: <sip:37120116780191250 at 67.80.191.250 >>>> >> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 >>>> To: <sip:3712011972592181418 at 67.80.191.250 >>>> >> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 >>>> Call-ID: 1504207870-295758084-609228182 >>>> CSeq: 1 INVITE >>>> ....... >>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on >>>> 1504207870-295758084-609228182... >>>> >>>> I thought invites had to go to port 5060 or so. I don't >> understand >>>> why somebody (let's assume a bad guy) is trying ports above >> 50000. >>>> >>>> sean >>>> >>>> >>> >>> Ok, so the high port is not the destination port but the source >> port. >>> >>> So I hacked the log warning in chan_sip.c on non-critical invites >> to show the source ip: >>> >>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from >>> %s.\n", >>> >> > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); >>> >>> With that in the log, I'm now blocking the ip addresses. >>> >>> Thanks, >>> sean >>> >>> >>> -- >>> >> > _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com >> -- >>> >>> Astricon is coming up October 9-11! Signup is available at: >>> https://www.asterisk.org/community/astricon-user-conference >>> >>> Check out the new Asterisk community forum at: >>> https://community.asterisk.org/ >>> >> >> I agree. That's why I hacked chan_sip.c to get the addresses in the >> log. >> >> I'm surprised they're not in the log by default. I must be the only >> person who gets these "non-critical invites". >> >> sean >> >> -- >> > _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com >> -- >> >> Astricon is coming up October 9-11! Signup is available at: >> https://www.asterisk.org/community/astricon-user-conference >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >> -- >> > _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com >> -- >> >> Astricon is coming up October 9-11! Signup is available at: >> https://www.asterisk.org/community/astricon-user-conference >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users > > -- > Matthew Jordan > Digium, Inc. | CTO > 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA > Check us out at: http://digium.com & http://asterisk.org > > Links: > ------ > [1] http://5.199.133.128:52734
Hello Hans, maybe I don't rember SIP & Asterisk well, but I THINK it's absolutely possible to place a call from one Asterisk Server to another one without at SIP Provider in between. Imagine a (big) company with branches running a server at every site. But maybe I'm wrong.... But for other setups you're right. For example, on my asterisk machine firewall is closed except the (few) IP adresses my SIP provider told me Norbert -------- Ursprüngliche Nachricht --------Von: asterisk at a-domani.nl Datum: 30.08.18 12:04 (GMT+02:00) An: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> Betreff: Re: [asterisk-users] getting invites to rtp ports ?? Regarding this thread, I was wondering, why would anybody opens his firewall (for incoming traffic), for anybody else, besides his own SIP-provider? Isn't that the proper way for having your firewall configured: always, by default closed, unless explicitly required. (but perhaps I'm missing a legitimate use-case) Hans On 2018-08-30 04:52, Matthew Jordan wrote:> On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group > <support at telium.ca> wrote: > >> Depending on log trolling (Asterisk security log) misses a lot, and >> also depends on the SIP/PJSIP folks to not change message structure >> (which has already happened numerous time). If you are comfortable >> hacking chan_sip.c you may prefer to get the same messages from the >> AMI. It still misses a lot but that approach is better than >> nothing. >> >> Digium warns not to use fail2ban / log trolling as a security >> system: http://forums.asterisk.org/viewtopic.php?p=159984 > > That's some pretty old advice. > > The rationale for *not* using general log messages with fail2ban still > stands: the general WARNING/NOTICE/etc. log messages are subject to > change between versions, and no one wants that to impact someone's > security. So you should not use those messages as input into fail2ban. > > That rationale did lead to the 'security' event type in log messages. > Security Event Logging - as it is called - got added into Asterisk > quite some time ago. So long ago I'm really not sure which version. At > a minimum, Asterisk 11, but I'm pretty sure it was in 10 as well. > > Documentation for it can be found here: > > https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger > > And here: > > https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration > > Note that this also fires off AMI events (and ARI events, IIRC). > > If, for whatever reason, you do not get a SECURITY log message or a > corresponding event when something 'bad' happens, that would be worth > some additional discussion. If anything, the events can be a bit > chatty... > >> -----Original Message----- >> From: asterisk-users >> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean >> darcy >> Sent: Wednesday, August 29, 2018 6:33 PM >> To: asterisk-users at lists.digium.com >> Subject: Re: [asterisk-users] getting invites to rtp ports ?? >> >> On 08/29/2018 11:59 AM, Telium Support Group wrote: >>> Block a single IP is the wrong approach (whack-a-mole). You >> should consider a more comprehensive approach to securing your VoIP >> environment. Have a look at this wiki: >>> >>> https://www.voip-info.org/asterisk-security/ >>> >>> >>> >>> -----Original Message----- >>> From: asterisk-users >> [mailto:asterisk-users-bounces at lists.digium.com] >>> On Behalf Of sean darcy >>> Sent: Wednesday, August 29, 2018 10:46 AM >>> To: asterisk-users at lists.digium.com >>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? >>> >>> On 08/29/2018 09:42 AM, Carlos Rojas wrote: >>>> Hi >>>> >>>> Probably somebody is trying to hack your system, you should block >> >>>> that ip on your firewall. >>>> >>>> Regards >>>> >>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com >> >>>> <mailto:seandarcy2 at gmail.com>> wrote: >>>> >>>> I'm getting invites to very high ports every 30 seconds from >> a >>>> particular ip address: >>>> >>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 [1] >>>> <http://5.199.133.128:52734>: >>>> SIP/2.0 401 Unauthorized >>>> Via: SIP/2.0/UDP >>>> >> > 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 >>>> From: <sip:37120116780191250 at 67.80.191.250 >>>> >> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 >>>> To: <sip:3712011972592181418 at 67.80.191.250 >>>> >> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 >>>> Call-ID: 1504207870-295758084-609228182 >>>> CSeq: 1 INVITE >>>> ....... >>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on >>>> 1504207870-295758084-609228182... >>>> >>>> I thought invites had to go to port 5060 or so. I don't >> understand >>>> why somebody (let's assume a bad guy) is trying ports above >> 50000. >>>> >>>> sean >>>> >>>> >>> >>> Ok, so the high port is not the destination port but the source >> port. >>> >>> So I hacked the log warning in chan_sip.c on non-critical invites >> to show the source ip: >>> >>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from >>> %s.\n", >>> >> > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); >>> >>> With that in the log, I'm now blocking the ip addresses. >>> >>> Thanks, >>> sean >>> >>> >>> -- >>> >> > _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com >> -- >>> >>> Astricon is coming up October 9-11! Signup is available at: >>> https://www.asterisk.org/community/astricon-user-conference >>> >>> Check out the new Asterisk community forum at: >>> https://community.asterisk.org/ >>> >> >> I agree. That's why I hacked chan_sip.c to get the addresses in the >> log. >> >> I'm surprised they're not in the log by default. I must be the only >> person who gets these "non-critical invites". >> >> sean >> >> -- >> > _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com >> -- >> >> Astricon is coming up October 9-11! Signup is available at: >> https://www.asterisk.org/community/astricon-user-conference >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >> -- >> > _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com >> -- >> >> Astricon is coming up October 9-11! Signup is available at: >> https://www.asterisk.org/community/astricon-user-conference >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users > > -- > Matthew Jordan > Digium, Inc. | CTO > 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA > Check us out at: http://digium.com & http://asterisk.org > > Links: > ------ > [1] http://5.199.133.128:52734-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180830/ce6ffa12/attachment-0001.html>
On Wed, Aug 29, 2018 at 10:52 PM, Matthew Jordan <mjordan at digium.com> wrote:> > On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <support at telium.ca> > wrote: > >> Depending on log trolling (Asterisk security log) misses a lot, and also >> depends on the SIP/PJSIP folks to not change message structure (which has >> already happened numerous time). If you are comfortable hacking >> chan_sip.c you may prefer to get the same messages from the AMI. It still >> misses a lot but that approach is better than nothing. >> >> Digium warns not to use fail2ban / log trolling as a security system: >> http://forums.asterisk.org/viewtopic.php?p=159984 >> >> >> > That's some pretty old advice. > > The rationale for *not* using general log messages with fail2ban still > stands: the general WARNING/NOTICE/etc. log messages are subject to change > between versions, and no one wants that to impact someone's security. So > you should not use those messages as input into fail2ban. > > That rationale did lead to the 'security' event type in log messages. > Security Event Logging - as it is called - got added into Asterisk quite > some time ago. So long ago I'm really not sure which version. At a minimum, > Asterisk 11, but I'm pretty sure it was in 10 as well. > > Documentation for it can be found here: > > https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger > > And here: > > https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration > > Note that this also fires off AMI events (and ARI events, IIRC). > > If, for whatever reason, you do not get a SECURITY log message or a > corresponding event when something 'bad' happens, that would be worth some > additional discussion. If anything, the events can be a bit chatty... > >FYI: We have found that Fail2Ban has not been as effective as it has in the past (more with web provisioning servers then with SIP) as once the attackers think they have a system they can compromise they will change their IP's and keep trying over and over. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180830/cf2f49f5/attachment.html>
On Thu, Aug 30, 2018 at 6:02 AM John Covici <covici at ccs.covici.com> wrote:> I agree, but is it possible to try over and over with anything other > than the challenge warning in the security log as sean suggested and > put a patch for? >I don't think I understand your question. You shouldn't need a patch if you are using the SECURITY log. The thread above is suggesting patching the source code to hijack a WARNING message for the purposes of tracing security information; my point is that you should have a specific SECURITY log message that already serves that purpose.> > On Wed, 29 Aug 2018 22:52:05 -0400, > Matthew Jordan wrote: > > > > [1 <multipart/alternative (7bit)>] > > [1.1 <text/plain; UTF-8 (7bit)>] > > [1.2 <text/html; UTF-8 (quoted-printable)>] > > On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <support at telium.ca> > wrote: > > > > Depending on log trolling (Asterisk security log) misses a lot, and > also depends on the SIP/PJSIP folks to not change message structure (which > has already happened numerous time). If you are comfortable hacking > chan_sip.c you may > > prefer to get the same messages from the AMI. It still misses a lot > but that approach is better than nothing. > > > > Digium warns not to use fail2ban / log trolling as a security system: > http://forums.asterisk.org/viewtopic.php?p=159984 > > > > That's some pretty old advice. > > > > The rationale for *not* using general log messages with fail2ban still > stands: the general WARNING/NOTICE/etc. log messages are subject to change > between versions, and no one wants that to impact someone's security. So > you should not use > > those messages as input into fail2ban. > > > > That rationale did lead to the 'security' event type in log messages. > Security Event Logging - as it is called - got added into Asterisk quite > some time ago. So long ago I'm really not sure which version. At a minimum, > Asterisk 11, but > > I'm pretty sure it was in 10 as well. > > > > Documentation for it can be found here: > > > > > https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger > > > > And here: > > > > https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration > > > > Note that this also fires off AMI events (and ARI events, IIRC). > > > > If, for whatever reason, you do not get a SECURITY log message or a > corresponding event when something 'bad' happens, that would be worth some > additional discussion. If anything, the events can be a bit chatty... > > > > > > -----Original Message----- > > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] > On Behalf Of sean darcy > > Sent: Wednesday, August 29, 2018 6:33 PM > > To: asterisk-users at lists.digium.com > > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > > > On 08/29/2018 11:59 AM, Telium Support Group wrote: > > > Block a single IP is the wrong approach (whack-a-mole). You should > consider a more comprehensive approach to securing your VoIP environment. > Have a look at this wiki: > > > > > > https://www.voip-info.org/asterisk-security/ > > > > > > > > > > > > -----Original Message----- > > > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] > > > > On Behalf Of sean darcy > > > Sent: Wednesday, August 29, 2018 10:46 AM > > > To: asterisk-users at lists.digium.com > > > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > > > > > On 08/29/2018 09:42 AM, Carlos Rojas wrote: > > >> Hi > > >> > > >> Probably somebody is trying to hack your system, you should block > > >> that ip on your firewall. > > >> > > >> Regards > > >> > > >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com > > >> <mailto:seandarcy2 at gmail.com>> wrote: > > >> > > >> I'm getting invites to very high ports every 30 seconds from a > > >> particular ip address: > > >> > > >> Retransmitting #10 (NAT) to 5.199.133.128:52734 > > >> <http://5.199.133.128:52734>: > > >> SIP/2.0 401 Unauthorized > > >> Via: SIP/2.0/UDP > > >> 0.0.0.0:52734 > ;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > > >> From: <sip:37120116780191250 at 67.80.191.250 > > >> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 > > >> To: <sip:3712011972592181418 at 67.80.191.250 > > >> <mailto:sip%3A3712011972592181418 at 67.80.191.250 > >>;tag=as3a52e748 > > >> Call-ID: 1504207870-295758084-609228182 > > >> CSeq: 1 INVITE > > >> ....... > > >> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > > >> 1504207870-295758084-609228182... > > >> > > >> I thought invites had to go to port 5060 or so. I don't > understand > > >> why somebody (let's assume a bad guy) is trying ports above > 50000. > > >> > > >> sean > > >> > > >> > > > > > > Ok, so the high port is not the destination port but the source port. > > > > > > So I hacked the log warning in chan_sip.c on non-critical invites to > show the source ip: > > > > > > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > > > %s.\n", > > > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > > > > > > With that in the log, I'm now blocking the ip addresses. > > > > > > Thanks, > > > sean > > > > > > > > > -- > > > _____________________________________________________________________ > > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > > > Astricon is coming up October 9-11! Signup is available at: > > > https://www.asterisk.org/community/astricon-user-conference > > > > > > Check out the new Asterisk community forum at: > > > https://community.asterisk.org/ > > > > > > > I agree. That's why I hacked chan_sip.c to get the addresses in the log. > > > > I'm surprised they're not in the log by default. I must be the only > person who gets these "non-critical invites". > > > > sean > > > > -- > > _____________________________________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > > > New to Asterisk? Start here: > > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > -- > > _____________________________________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > > > New to Asterisk? Start here: > > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > -- > > Matthew Jordan > > Digium, Inc. | CTO > > 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA > > Check us out at: http://digium.com & http://asterisk.org > > [2 <text/plain; utf-8 (base64)>] > > -- > > _____________________________________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > > > New to Asterisk? Start here: > > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > -- > Your life is like a penny. You're going to lose it. The question is: > How do > you spend it? > > John Covici wb2una > covici at ccs.covici.com > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Matthew Jordan Digium, Inc. | CTO 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com & http://asterisk.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180830/8576b1af/attachment.html>
Telium Support Group
2018-Aug-31 21:17 UTC
[asterisk-users] getting invites to rtp ports ??
Actually even the Security log (and AMI security event) is nothing more than failed dial/register attempts against Asterisk. There is no awareness of corrupt SIP attacks, detection of polling for insecure extensions, goefencing based on source IP (why allow connections from Russia if all of your uses are in Texas), detection of rapid dialing rates once connected to an IVR, etc. So your entire security system is based on Asterisk saying a dial/register failed. That’s a small fraction of the attack types against, and attack surface offered by, PJSIP/SIP/Asterisk. Even worse, if you run a configuration generator (eg FreePBX)..well…do a google search to see the exploits that are published regularly. I realize FreePBX/Sangoma now owns Digium so that discussion should probably go no further. So don’t get me wrong….fail2ban is way better than nothing. But it may instill a false sense of security. And that was Digium’s point in the post. So if the OP needs a free and fast solution against simple script kiddie attacks then installing fail2ban is a big thumbs up in my opinion. There have been similar discussions in other groups as to why even have a firewall, since you can close ports not needed by your services. There are some people who are very passionate about their view that firewalls are a waste of time and money. Far be it from me to say they’re wrong…but I’ve tried to point them to some interesting articles. If you are a pure open source advocate there are still a lot more tools you can use to secure you PBX. Think SNORT, I think pfsense offers a free database that’s accurate to a country level, etc. If you want commercial then there are even more options. But that’s the wrong forum for the biz stuff I feel I tread on the edge of a holy war :) So I’ll leave my thoughts here and go no further From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Matthew Jordan Sent: Wednesday, August 29, 2018 10:52 PM To: Asterisk Users Mailing List - Non-Commercial Discussion <asterisk-users at lists.digium.com> Subject: Re: [asterisk-users] getting invites to rtp ports ?? On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group <support at telium.ca <mailto:support at telium.ca> > wrote: Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing. Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984 That's some pretty old advice. The rationale for *not* using general log messages with fail2ban still stands: the general WARNING/NOTICE/etc. log messages are subject to change between versions, and no one wants that to impact someone's security. So you should not use those messages as input into fail2ban. That rationale did lead to the 'security' event type in log messages. Security Event Logging - as it is called - got added into Asterisk quite some time ago. So long ago I'm really not sure which version. At a minimum, Asterisk 11, but I'm pretty sure it was in 10 as well. Documentation for it can be found here: https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger And here: https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration Note that this also fires off AMI events (and ARI events, IIRC). If, for whatever reason, you do not get a SECURITY log message or a corresponding event when something 'bad' happens, that would be worth some additional discussion. If anything, the events can be a bit chatty... -----Original Message----- From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com <mailto:asterisk-users-bounces at lists.digium.com> ] On Behalf Of sean darcy Sent: Wednesday, August 29, 2018 6:33 PM To: asterisk-users at lists.digium.com <mailto:asterisk-users at lists.digium.com> Subject: Re: [asterisk-users] getting invites to rtp ports ?? On 08/29/2018 11:59 AM, Telium Support Group wrote:> Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki: > > https://www.voip-info.org/asterisk-security/ > > > > -----Original Message----- > From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com <mailto:asterisk-users-bounces at lists.digium.com> ] > On Behalf Of sean darcy > Sent: Wednesday, August 29, 2018 10:46 AM > To: asterisk-users at lists.digium.com <mailto:asterisk-users at lists.digium.com> > Subject: Re: [asterisk-users] getting invites to rtp ports ?? > > On 08/29/2018 09:42 AM, Carlos Rojas wrote: >> Hi >> >> Probably somebody is trying to hack your system, you should block >> that ip on your firewall. >> >> Regards >> >> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com <mailto:seandarcy2 at gmail.com> >> <mailto:seandarcy2 at gmail.com <mailto:seandarcy2 at gmail.com> >> wrote: >> >> I'm getting invites to very high ports every 30 seconds from a >> particular ip address: >> >> Retransmitting #10 (NAT) to 5.199.133.128:52734 <http://5.199.133.128:52734> >> <http://5.199.133.128:52734>: >> SIP/2.0 401 Unauthorized >> Via: SIP/2.0/UDP >> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 >> From: <sip:37120116780191250 at 67.80.191.250 <mailto:sip%3A37120116780191250 at 67.80.191.250> >> <mailto:sip%3A37120116780191250 at 67.80.191.250 <mailto:sip%253A37120116780191250 at 67.80.191.250> >>;tag=1872048972 >> To: <sip:3712011972592181418 at 67.80.191.250 <mailto:sip%3A3712011972592181418 at 67.80.191.250> >> <mailto:sip%3A3712011972592181418 at 67.80.191.250 <mailto:sip%253A3712011972592181418 at 67.80.191.250> >>;tag=as3a52e748 >> Call-ID: 1504207870-295758084-609228182 >> CSeq: 1 INVITE >> ....... >> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on >> 1504207870-295758084-609228182... >> >> I thought invites had to go to port 5060 or so. I don't understand >> why somebody (let's assume a bad guy) is trying ports above 50000. >> >> sean >> >> > > Ok, so the high port is not the destination port but the source port. > > So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip: > > ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > %s.\n", > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > > With that in the log, I'm now blocking the ip addresses. > > Thanks, > sean > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ >I agree. That's why I hacked chan_sip.c to get the addresses in the log. I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites". sean -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Matthew Jordan Digium, Inc. | CTO 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com & http://asterisk.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180831/4da26eb6/attachment.html>