Hi. So, I applied the patch, works, but I could not figure out a fail2ban regex which will hit that line, have you got one I can use? Thanks. On Thu, 30 Aug 2018 11:03:08 -0400, sean darcy wrote:> > On 08/29/2018 09:33 PM, John Covici wrote: > > OK, Thanks. I have a couple of questions -- the line numbers do not > > match exactly, so can you tell me a couple of lines before and after > > the line in question? Also, when will this be logged, if its only > > during sip debug, I need to change it to log when I can see it more > > readily. > > > > Thanks. > > > > On Wed, 29 Aug 2018 20:31:15 -0400, > > sean darcy wrote: > >> > >> On 08/29/2018 08:07 PM, John Covici wrote: > >>> I wonder if I could have that patch, maybe I could add it to my > >>> fail2ban regexp and if you have the correct regexp, I would apperciate > >>> that as well. > >>> > >>> Thanks. > >>> > >>> On Wed, 29 Aug 2018 19:18:29 -0400, > >>> Telium Support Group wrote: > >>>> > >>>> Depending on log trolling (Asterisk security log) misses a lot, and also depends on the SIP/PJSIP folks to not change message structure (which has already happened numerous time). If you are comfortable hacking chan_sip.c you may prefer to get the same messages from the AMI. It still misses a lot but that approach is better than nothing. > >>>> > >>>> Digium warns not to use fail2ban / log trolling as a security system: http://forums.asterisk.org/viewtopic.php?p=159984 > >>>> > >>>> > >>>> -----Original Message----- > >>>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy > >>>> Sent: Wednesday, August 29, 2018 6:33 PM > >>>> To: asterisk-users at lists.digium.com > >>>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >>>> > >>>> On 08/29/2018 11:59 AM, Telium Support Group wrote: > >>>>> Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki: > >>>>> > >>>>> https://www.voip-info.org/asterisk-security/ > >>>>> > >>>>> > >>>>> > >>>>> -----Original Message----- > >>>>> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] > >>>>> On Behalf Of sean darcy > >>>>> Sent: Wednesday, August 29, 2018 10:46 AM > >>>>> To: asterisk-users at lists.digium.com > >>>>> Subject: Re: [asterisk-users] getting invites to rtp ports ?? > >>>>> > >>>>> On 08/29/2018 09:42 AM, Carlos Rojas wrote: > >>>>>> Hi > >>>>>> > >>>>>> Probably somebody is trying to hack your system, you should block > >>>>>> that ip on your firewall. > >>>>>> > >>>>>> Regards > >>>>>> > >>>>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com > >>>>>> <mailto:seandarcy2 at gmail.com>> wrote: > >>>>>> > >>>>>> I'm getting invites to very high ports every 30 seconds from a > >>>>>> particular ip address: > >>>>>> > >>>>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 > >>>>>> <http://5.199.133.128:52734>: > >>>>>> SIP/2.0 401 Unauthorized > >>>>>> Via: SIP/2.0/UDP > >>>>>> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > >>>>>> From: <sip:37120116780191250 at 67.80.191.250 > >>>>>> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 > >>>>>> To: <sip:3712011972592181418 at 67.80.191.250 > >>>>>> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 > >>>>>> Call-ID: 1504207870-295758084-609228182 > >>>>>> CSeq: 1 INVITE > >>>>>> ....... > >>>>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > >>>>>> 1504207870-295758084-609228182... > >>>>>> > >>>>>> I thought invites had to go to port 5060 or so. I don't understand > >>>>>> why somebody (let's assume a bad guy) is trying ports above 50000. > >>>>>> > >>>>>> sean > >>>>>> > >>>>>> > >>>>> > >>>>> Ok, so the high port is not the destination port but the source port. > >>>>> > >>>>> So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip: > >>>>> > >>>>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from > >>>>> %s.\n", > >>>>> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > >>>>> > >>>>> With that in the log, I'm now blocking the ip addresses. > >>>>> > >>>>> Thanks, > >>>>> sean > >>>>> > >>>>> > >>>>> -- > >>>>> _____________________________________________________________________ > >>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >>>>> > >>>>> Astricon is coming up October 9-11! Signup is available at: > >>>>> https://www.asterisk.org/community/astricon-user-conference > >>>>> > >>>>> Check out the new Asterisk community forum at: > >>>>> https://community.asterisk.org/ > >>>>> > >>>> > >>>> I agree. That's why I hacked chan_sip.c to get the addresses in the log. > >>>> > >>>> I'm surprised they're not in the log by default. I must be the only person who gets these "non-critical invites". > >>>> > >>>> sean > >>>> > >>>> > >>>> > >>>> -- > >>>> _____________________________________________________________________ > >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >>>> > >>>> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > >>>> > >>>> Check out the new Asterisk community forum at: https://community.asterisk.org/ > >>>> > >>>> New to Asterisk? Start here: > >>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >>>> > >>>> asterisk-users mailing list > >>>> To UNSUBSCRIBE or update options visit: > >>>> http://lists.digium.com/mailman/listinfo/asterisk-users > >>>> > >>>> > >>>> -- > >>>> _____________________________________________________________________ > >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >>>> > >>>> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > >>>> > >>>> Check out the new Asterisk community forum at: https://community.asterisk.org/ > >>>> > >>>> New to Asterisk? Start here: > >>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >>>> > >>>> asterisk-users mailing list > >>>> To UNSUBSCRIBE or update options visit: > >>>> http://lists.digium.com/mailman/listinfo/asterisk-users > >>>> > >>> > >> The patch, more accurately a hack, is in my second post above. > >> > >> chan_sip.c 4127 : ast_log(LOG_WARNING, "Timeout on %s non-critic > >> invite trans from %s.\n", > >> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > >> > >> The added second %s shows the ip address of the pkt owner. > >> > >> I wouldn't submit it in a coding class ! > >> > >> sean > >> > >> > >> -- > >> _____________________________________________________________________ > >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > >> > >> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > >> > >> Check out the new Asterisk community forum at: https://community.asterisk.org/ > >> > >> New to Asterisk? Start here: > >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started > >> > >> asterisk-users mailing list > >> To UNSUBSCRIBE or update options visit: > >> http://lists.digium.com/mailman/listinfo/asterisk-users > >> > > > > 13.21.0-rc1 chan_sip.c : > > 4125- } > 4126- } else if (pkt->owner->pendinginvite == pkt->seqno) { > 4127: ast_log(LOG_WARNING, "Timeout on %s non-critic > invite trans from %s.\n", > pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); > 4128- pkt->owner->invitestate = INV_TERMINATED; > 4129- pkt->owner->pendinginvite = 0; > > The warning is logged with sip-debug. > > BTW, this gives the destination address for the packet. What I'd > really want is the source address (which is probably the same as > the destination address, but...). However, my asterisk mojo is > not sufficient to find the correct variable. > > Anybody know how to print the source address ? > > sean > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una covici at ccs.covici.com
info at online4you.nl
2018-Sep-09 22:00 UTC
[asterisk-users] Autoreply (Re: getting invites to rtp ports ??)
Bedankt voor uw bericht. Online4You is sinds 1 augustus niet meer operationeel. Per e-mail hebben wij u geinformeerd over de omstandigheden en uw opties. Helaas kunnen wij u niet meer helpen, uw mail wordt niet doorgestuurd en/of beantwoord. Indien uw abonnement is overgenomen door KovoKs, kijk dan voor contactgegevens op https://www.kovoks.nl/. Dank voor uw vertrouwen de afgelopen jaren! Met vriendelijke groet, Online4You B.V.
info at online4you.nl
2018-Sep-09 22:00 UTC
[asterisk-users] Autoreply ( Autoreply (Re: getting invites to rtp ports ??))
Bedankt voor uw bericht. Online4You is sinds 1 augustus niet meer operationeel. Per e-mail hebben wij u geinformeerd over de omstandigheden en uw opties. Helaas kunnen wij u niet meer helpen, uw mail wordt niet doorgestuurd en/of beantwoord. Indien uw abonnement is overgenomen door KovoKs, kijk dan voor contactgegevens op https://www.kovoks.nl/. Dank voor uw vertrouwen de afgelopen jaren! Met vriendelijke groet, Online4You B.V.