OK, Thanks. I have a couple of questions -- the line numbers do not match exactly, so can you tell me a couple of lines before and after the line in question? Also, when will this be logged, if its only during sip debug, I need to change it to log when I can see it more readily. Thanks. On Wed, 29 Aug 2018 20:31:15 -0400, sean darcy wrote:> > On 08/29/2018 08:07 PM, John Covici wrote: > > I wonder if I could have that patch, maybe I could add it to my > > fail2ban regexp and if you have the correct regexp, I would apperciate > > that as well. > > > > Thanks. > > > > On Wed, 29 Aug 2018 19:18:29 -0400, > > Telium Support Group wrote: > >> > >> Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing. > >> > >> Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984 > >> > >> > >> -----Original Message----- > >> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy > >> Sent: Wednesday, August 29, 2018 6:33 PM > >> To: asterisk-users at lists.digium.com > >> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >> > >> On 08/29/2018 11:59 AM, Telium Support Group wrote: > >>> Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki: > >>> > >>> https://www.voip-info.org/asterisk-security/ > >>> > >>> > >>> > >>> -----Original Message----- > >>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] > >>> On Behalf Of sean darcy > >>> Sent: Wednesday, August 29, 2018 10:46 AM > >>> To: asterisk-users at lists.digium.com > >>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >>> > >>> On 08/29/2018 09:42 AM, Carlos Rojas wrote: > >>>> Hi > >>>> > >>>> Probably somebody is trying to hack your system, you should block > >>>> that ip on your firewall. > >>>> > >>>> Regards > >>>> > >>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com > >>>> <mailto:seandarcy2 at gmail.com>> wrote: > >>>> > >>>> I'm getting invites to very high ports every 30 seconds from a > >>>> particular ip address: > >>>> > >>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 > >>>> <http://5.199.133.128:52734>: > >>>> SIP/2.0 401 Unauthorized > >>>> Via: SIP/2.0/UDP > >>>> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > >>>> From: <sip:37120116780191250 at 67.80.191.250 > >>>> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 > >>>> To: <sip:3712011972592181418 at 67.80.191.250 > >>>> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 > >>>> Call-ID: 1504207870-295758084-609228182 > >>>> CSeq: 1 INVITE > >>>> ....... > >>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > >>>> 1504207870-295758084-609228182... > >>>> > >>>> I thought invites had to go to port 5060 or so. I don't understand > >>>> why somebody (let's assume a bad guy) is trying ports above 50000. > >>>> > >>>> sean > >>>> > >>>> > >>> > >>> Ok, so the high port is not the destination port but the source port. > >>> > >>> So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip: > >>> > >>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > >>> %s.\n", > >>> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > >>> > >>> With that in the log, I'm now blocking the ip addresses. > >>> > >>> Thanks, > >>> sean > >>> > >>> > >>> -- > >>> _____________________________________________________________________ > >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >>> > >>> Astricon is coming up October 9-11! Signup is available at: > >>> https://www.asterisk.org/community/astricon-user-conference > >>> > >>> Check out the new Asterisk community forum at: > >>> https://community.asterisk.org/ > >>> > >> > >> I agree. That's why I hacked chan_sip.c to get the addresses in the log. > >> > >> I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites". > >> > >> sean > >> > >> > >> > >> -- > >> _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >> > >> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > >> > >> Check out the new Asterisk community forum at: https://community.asterisk.org/ > >> > >> New to Asterisk? Start here: > >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > >> > >> -- > >> _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >> > >> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > >> > >> Check out the new Asterisk community forum at: https://community.asterisk.org/ > >> > >> New to Asterisk? Start here: > >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > > > The patch, more accurately a hack, is in my second post above. > > chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic > invite trans from %s.\n", > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > > The added second %s shows the ip address of the pkt owner. > > I wouldn't submit it in a coding class ! > > sean > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una covici at ccs.covici.com
On 08/29/2018 09:33 PM, John Covici wrote:> OK, Thanks. I have a couple of questions -- the line numbers do not > match exactly, so can you tell me a couple of lines before and after > the line in question? Also, when will this be logged, if its only > during sip debug, I need to change it to log when I can see it more > readily. > > Thanks. > > On Wed, 29 Aug 2018 20:31:15 -0400, > sean darcy wrote: >> >> On 08/29/2018 08:07 PM, John Covici wrote: >>> I wonder if I could have that patch, maybe I could add it to my >>> fail2ban regexp and if you have the correct regexp, I would apperciate >>> that as well. >>> >>> Thanks. >>> >>> On Wed, 29 Aug 2018 19:18:29 -0400, >>> Telium Support Group wrote: >>>> >>>> Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing. >>>> >>>> Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984 >>>> >>>> >>>> -----Original Message----- >>>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy >>>> Sent: Wednesday, August 29, 2018 6:33 PM >>>> To: asterisk-users at lists.digium.com >>>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? >>>> >>>> On 08/29/2018 11:59 AM, Telium Support Group wrote: >>>>> Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki: >>>>> >>>>> https://www.voip-info.org/asterisk-security/ >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] >>>>> On Behalf Of sean darcy >>>>> Sent: Wednesday, August 29, 2018 10:46 AM >>>>> To: asterisk-users at lists.digium.com >>>>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? >>>>> >>>>> On 08/29/2018 09:42 AM, Carlos Rojas wrote: >>>>>> Hi >>>>>> >>>>>> Probably somebody is trying to hack your system, you should block >>>>>> that ip on your firewall. >>>>>> >>>>>> Regards >>>>>> >>>>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com >>>>>> <mailto:seandarcy2 at gmail.com>> wrote: >>>>>> >>>>>> I'm getting invites to very high ports every 30 seconds from a >>>>>> particular ip address: >>>>>> >>>>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 >>>>>> <http://5.199.133.128:52734>: >>>>>> SIP/2.0 401 Unauthorized >>>>>> Via: SIP/2.0/UDP >>>>>> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 >>>>>> From: <sip:37120116780191250 at 67.80.191.250 >>>>>> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 >>>>>> To: <sip:3712011972592181418 at 67.80.191.250 >>>>>> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 >>>>>> Call-ID: 1504207870-295758084-609228182 >>>>>> CSeq: 1 INVITE >>>>>> ....... >>>>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on >>>>>> 1504207870-295758084-609228182... >>>>>> >>>>>> I thought invites had to go to port 5060 or so. I don't understand >>>>>> why somebody (let's assume a bad guy) is trying ports above 50000. >>>>>> >>>>>> sean >>>>>> >>>>>> >>>>> >>>>> Ok, so the high port is not the destination port but the source port. >>>>> >>>>> So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip: >>>>> >>>>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from >>>>> %s.\n", >>>>> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); >>>>> >>>>> With that in the log, I'm now blocking the ip addresses. >>>>> >>>>> Thanks, >>>>> sean >>>>> >>>>> >>>>> -- >>>>> _____________________________________________________________________ >>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>>> >>>>> Astricon is coming up October 9-11! Signup is available at: >>>>> https://www.asterisk.org/community/astricon-user-conference >>>>> >>>>> Check out the new Asterisk community forum at: >>>>> https://community.asterisk.org/ >>>>> >>>> >>>> I agree. That's why I hacked chan_sip.c to get the addresses in the log. >>>> >>>> I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites". >>>> >>>> sean >>>> >>>> >>>> >>>> -- >>>> _____________________________________________________________________ >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>> >>>> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference >>>> >>>> Check out the new Asterisk community forum at: https://community.asterisk.org/ >>>> >>>> New to Asterisk? Start here: >>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >>>> >>>> asterisk-users mailing list >>>> To UNSUBSCRIBE or update options visit: >>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>> >>>> >>>> -- >>>> _____________________________________________________________________ >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>> >>>> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference >>>> >>>> Check out the new Asterisk community forum at: https://community.asterisk.org/ >>>> >>>> New to Asterisk? Start here: >>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >>>> >>>> asterisk-users mailing list >>>> To UNSUBSCRIBE or update options visit: >>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>>> >>> >> The patch, more accurately a hack, is in my second post above. >> >> chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic >> invite trans from %s.\n", >> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); >> >> The added second %s shows the ip address of the pkt owner. >> >> I wouldn't submit it in a coding class ! >> >> sean >> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference >> >> Check out the new Asterisk community forum at: https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >13.21.0-rc1 chan_sip.c : 4125- } 4126- } else if (pkt->owner->pendinginvite == pkt->seqno) { 4127: ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from %s.\n", pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); 4128- pkt->owner->invitestate = INV_TERMINATED; 4129- pkt->owner->pendinginvite = 0; The warning is logged with sip-debug. BTW, this gives the destination address for the packet. What I'd really want is the source address (which is probably the same as the destination address, but...). However, my asterisk mojo is not sufficient to find the correct variable. Anybody know how to print the source address ? sean
Hi. So, I applied the patch, works, but I could not figure out a fail2ban regex which will hit that line, have you got one I can use? Thanks. On Thu, 30 Aug 2018 11:03:08 -0400, sean darcy wrote:> > On 08/29/2018 09:33 PM, John Covici wrote: > > OK, Thanks. I have a couple of questions -- the line numbers do not > > match exactly, so can you tell me a couple of lines before and after > > the line in question? Also, when will this be logged, if its only > > during sip debug, I need to change it to log when I can see it more > > readily. > > > > Thanks. > > > > On Wed, 29 Aug 2018 20:31:15 -0400, > > sean darcy wrote: > >> > >> On 08/29/2018 08:07 PM, John Covici wrote: > >>> I wonder if I could have that patch, maybe I could add it to my > >>> fail2ban regexp and if you have the correct regexp, I would apperciate > >>> that as well. > >>> > >>> Thanks. > >>> > >>> On Wed, 29 Aug 2018 19:18:29 -0400, > >>> Telium Support Group wrote: > >>>> > >>>> Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing. > >>>> > >>>> Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984 > >>>> > >>>> > >>>> -----Original Message----- > >>>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy > >>>> Sent: Wednesday, August 29, 2018 6:33 PM > >>>> To: asterisk-users at lists.digium.com > >>>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >>>> > >>>> On 08/29/2018 11:59 AM, Telium Support Group wrote: > >>>>> Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki: > >>>>> > >>>>> https://www.voip-info.org/asterisk-security/ > >>>>> > >>>>> > >>>>> > >>>>> -----Original Message----- > >>>>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] > >>>>> On Behalf Of sean darcy > >>>>> Sent: Wednesday, August 29, 2018 10:46 AM > >>>>> To: asterisk-users at lists.digium.com > >>>>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >>>>> > >>>>> On 08/29/2018 09:42 AM, Carlos Rojas wrote: > >>>>>> Hi > >>>>>> > >>>>>> Probably somebody is trying to hack your system, you should block > >>>>>> that ip on your firewall. > >>>>>> > >>>>>> Regards > >>>>>> > >>>>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com > >>>>>> <mailto:seandarcy2 at gmail.com>> wrote: > >>>>>> > >>>>>> I'm getting invites to very high ports every 30 seconds from a > >>>>>> particular ip address: > >>>>>> > >>>>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 > >>>>>> <http://5.199.133.128:52734>: > >>>>>> SIP/2.0 401 Unauthorized > >>>>>> Via: SIP/2.0/UDP > >>>>>> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > >>>>>> From: <sip:37120116780191250 at 67.80.191.250 > >>>>>> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 > >>>>>> To: <sip:3712011972592181418 at 67.80.191.250 > >>>>>> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 > >>>>>> Call-ID: 1504207870-295758084-609228182 > >>>>>> CSeq: 1 INVITE > >>>>>> ....... > >>>>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > >>>>>> 1504207870-295758084-609228182... > >>>>>> > >>>>>> I thought invites had to go to port 5060 or so. I don't understand > >>>>>> why somebody (let's assume a bad guy) is trying ports above 50000. > >>>>>> > >>>>>> sean > >>>>>> > >>>>>> > >>>>> > >>>>> Ok, so the high port is not the destination port but the source port. > >>>>> > >>>>> So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip: > >>>>> > >>>>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > >>>>> %s.\n", > >>>>> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > >>>>> > >>>>> With that in the log, I'm now blocking the ip addresses. > >>>>> > >>>>> Thanks, > >>>>> sean > >>>>> > >>>>> > >>>>> -- > >>>>> _____________________________________________________________________ > >>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >>>>> > >>>>> Astricon is coming up October 9-11! Signup is available at: > >>>>> https://www.asterisk.org/community/astricon-user-conference > >>>>> > >>>>> Check out the new Asterisk community forum at: > >>>>> https://community.asterisk.org/ > >>>>> > >>>> > >>>> I agree. That's why I hacked chan_sip.c to get the addresses in the log. > >>>> > >>>> I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites". > >>>> > >>>> sean > >>>> > >>>> > >>>> > >>>> -- > >>>> _____________________________________________________________________ > >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >>>> > >>>> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > >>>> > >>>> Check out the new Asterisk community forum at: https://community.asterisk.org/ > >>>> > >>>> New to Asterisk? Start here: > >>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >>>> > >>>> asterisk-users mailing list > >>>> To UNSUBSCRIBE or update options visit: > >>>> http://lists.digium.com/mailman/listinfo/asterisk-users > >>>> > >>>> > >>>> -- > >>>> _____________________________________________________________________ > >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >>>> > >>>> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > >>>> > >>>> Check out the new Asterisk community forum at: https://community.asterisk.org/ > >>>> > >>>> New to Asterisk? Start here: > >>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >>>> > >>>> asterisk-users mailing list > >>>> To UNSUBSCRIBE or update options visit: > >>>> http://lists.digium.com/mailman/listinfo/asterisk-users > >>>> > >>> > >> The patch, more accurately a hack, is in my second post above. > >> > >> chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic > >> invite trans from %s.\n", > >> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > >> > >> The added second %s shows the ip address of the pkt owner. > >> > >> I wouldn't submit it in a coding class ! > >> > >> sean > >> > >> > >> -- > >> _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >> > >> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > >> > >> Check out the new Asterisk community forum at: https://community.asterisk.org/ > >> > >> New to Asterisk? Start here: > >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > > > > 13.21.0-rc1 chan_sip.c : > > 4125- } > 4126- } else if (pkt->owner->pendinginvite == pkt->seqno) { > 4127: ast_log(LOG_WARNING, "Timeout on %s non-critic > invite trans from %s.\n", > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > 4128- pkt->owner->invitestate = INV_TERMINATED; > 4129- pkt->owner->pendinginvite = 0; > > The warning is logged with sip-debug. > > BTW, this gives the destination address for the packet. What I'd > really want is the source address (which is probably the same as > the destination address, but...). However, my asterisk mojo is > not sufficient to find the correct variable. > > Anybody know how to print the source address ? > > sean > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una covici at ccs.covici.com