ASTERISK-21908: Asterisk do not log source IP for Fake auth rejection

[Home]

Summary: ASTERISK-21908: Asterisk do not log source IP for Fake auth rejection

Reporter: Carlos Alberto Lopez Perez (clopez) Labels:

Date Opened: 2013-06-14 11:42:19 Date Closed: 2013-06-14 12:09:26

Priority: Major Regression?

Status: Closed/Complete Components: Core/Logging

Versions: SVN Feature Tracker Frequency of
Occurrence

Related
Issues:
is duplicated by ASTERISK-19348 With alwaysauthreject=yes AND allowguest=no Asterisk fails to report a SIP Security Event

is related to ASTERISK-20578 sip handle_incoming needs more calls to sec. framework

is related to ASTERISK-20506 With alwaysauthreject=yes AND allowguest=no Asterisk fails to report Attacker's IP Address

Environment: Debian GNU/Linux Attachments:

Description: Problem: Asterisk 1.6 do not log source IP address used for brute force attacks in some cases. Thus usage of Fail2ban or other tools is limited.

Details: When using alwaysauthreject=yes in sip.conf, then source IP of attacker is not logged when rejecting INVITES from not registered devices trying to authenticate at call beginning (only asterisk server IP itself is logged).

Solution: Attached is a small patch solving this it, allowing fail2ban correctly handling such brute force attacks.

Before patch:

[2013-04-28 19:33:01] NOTICE[32446] chan_sip.c: Sending fake auth rejection for device 1011<sip:1011@10.98.231.154:5060>;tag=3b82edc2

After patch:

[2013-05-04 05:10:07] NOTICE[10851] chan_sip.c: Sending fake auth rejection for device '303<sip:303@10.98.231.154:5060>;tag=d9210d45' to '94.23.59.135'

patch:

--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -20238,7 +20238,7 @@
}
if (res < 0) { /* Something failed in authentication */
if (res == AUTH_FAKE_AUTH) {
- ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
+ ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr));
transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE);
} else {
ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
@@ -21532,7 +21532,7 @@
return 0;
if (res < 0) {
if (res == AUTH_FAKE_AUTH) {
- ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
+ ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr));
transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE);
} else {
ast_log(LOG_NOTICE, "Failed to authenticate device %s for SUBSCRIBE\n", get_header(req, "From"));

NOTE: This tracker seems unable to correctly print a patch.

Please go to the Debian bug to see it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706739

Comments: By: Matt Jordan (mjordan) 2013-06-14 12:09:16.708-0500

Per the Asterisk maintenance timeline page at http://www.asterisk.org/asterisk-versions maintenance (bug) support for the 1.4 and 1.6.x branches has ended. For continued maintenance support please move to the 1.8 branch which is a long term support (LTS) branch. For more information about branch support, please see https://wiki.asterisk.org/wiki/display/AST/Asterisk+Versions. After testing with Asterisk 1.8, if you find this problem has not been resolved, please open a new issue against Asterisk 1.8.

Additionally, there are already *many* issues related to this. Work has been done in later versions to provide a security event framework that tools can use to monitor security related events. If you require that ability, you should consider upgrading to a version of Asterisk that has this framework.
By: Matt Jordan (mjordan) 2013-06-14 12:13:59.306-0500

I've linked the related issues that exist that are against the supported versions of Asterisk. There are some patches available there that may assist you if you want to backport them to the unsupported version of Asterisk.