Asterisk
  1. Asterisk
  2. ASTERISK-21908

Asterisk do not log source IP for Fake auth rejection

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Severity: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: SVN, Feature Tracker
    • Target Release Version/s: None
    • Component/s: Core/Logging
    • Security Level: None
    • Labels:
      None
    • Environment:
      Debian GNU/Linux

      Description

      Problem: Asterisk 1.6 do not log source IP address used for brute force attacks in some cases. Thus usage of Fail2ban or other tools is limited.

      Details: When using alwaysauthreject=yes in sip.conf, then source IP of attacker is not logged when rejecting INVITES from not registered devices trying to authenticate at call beginning (only asterisk server IP itself is logged).

      Solution: Attached is a small patch solving this it, allowing fail2ban correctly handling such brute force attacks.

      Before patch:

      [2013-04-28 19:33:01] NOTICE[32446] chan_sip.c: Sending fake auth rejection for device 1011<sip:1011@10.98.231.154:5060>;tag=3b82edc2

      After patch:

      [2013-05-04 05:10:07] NOTICE[10851] chan_sip.c: Sending fake auth rejection for device '303<sip:303@10.98.231.154:5060>;tag=d9210d45' to '94.23.59.135'

      patch:

      — a/channels/chan_sip.c
      +++ b/channels/chan_sip.c
      @@ -20238,7 +20238,7 @@
      }
      if (res < 0) { /* Something failed in authentication */
      if (res == AUTH_FAKE_AUTH)

      { - ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From")); + ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr)); transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE); }

      else {
      ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
      @@ -21532,7 +21532,7 @@
      return 0;
      if (res < 0) {
      if (res == AUTH_FAKE_AUTH)

      { - ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From")); + ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr)); transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE); }

      else {
      ast_log(LOG_NOTICE, "Failed to authenticate device %s for SUBSCRIBE\n", get_header(req, "From"));

      NOTE: This tracker seems unable to correctly print a patch.

      Please go to the Debian bug to see it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706739

        Issue Links

          Activity

          Hide
          Matt Jordan added a comment -

          Per the Asterisk maintenance timeline page at http://www.asterisk.org/asterisk-versions maintenance (bug) support for the 1.4 and 1.6.x branches has ended. For continued maintenance support please move to the 1.8 branch which is a long term support (LTS) branch. For more information about branch support, please see https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions. After testing with Asterisk 1.8, if you find this problem has not been resolved, please open a new issue against Asterisk 1.8.

          Additionally, there are already many issues related to this. Work has been done in later versions to provide a security event framework that tools can use to monitor security related events. If you require that ability, you should consider upgrading to a version of Asterisk that has this framework.

          Show
          Matt Jordan added a comment - Per the Asterisk maintenance timeline page at http://www.asterisk.org/asterisk-versions maintenance (bug) support for the 1.4 and 1.6.x branches has ended. For continued maintenance support please move to the 1.8 branch which is a long term support (LTS) branch. For more information about branch support, please see https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions . After testing with Asterisk 1.8, if you find this problem has not been resolved, please open a new issue against Asterisk 1.8. Additionally, there are already many issues related to this. Work has been done in later versions to provide a security event framework that tools can use to monitor security related events. If you require that ability, you should consider upgrading to a version of Asterisk that has this framework.
          Hide
          Matt Jordan added a comment -

          I've linked the related issues that exist that are against the supported versions of Asterisk. There are some patches available there that may assist you if you want to backport them to the unsupported version of Asterisk.

          Show
          Matt Jordan added a comment - I've linked the related issues that exist that are against the supported versions of Asterisk. There are some patches available there that may assist you if you want to backport them to the unsupported version of Asterisk.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development